CISA released on Nov. 4 this notification, “BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities,” alerting that the researchers that first disclosed the BrakTooth BT exploiter in August have just released a proof of concept tool and BT exploits on GitHub to test Bluetooth devices for a family of new security vulnerabilities. Dubbed BrakTooth, the vulnerabilities affect over 1,400 product listings, including chipsets used in billions of devices from smartphones and computers sold through retailers to Internet of Things (IoT) devices and manufacturing/industrial/CI equipment.
See the comments below about this new revelation of the vulnerability of Bluetooth-enabled devices.
Doug Britton, CEO, Haystack Solutions:
“These vulnerabilities were discovered in complex codebases that have been tested for vulnerabilities hundreds or thousands of times. This yet again makes clear that companies need to keep investing in brains, not tools. Companies need to have security minds that can go off script when the attacker does. These nimble security minds are needed in the product vendors (such as those affected by these vulnerabilities) and the companies that utilize these products. Creativity will be needed on the part of product customers to look for potential indicia of attack.”
Saryu Nayyar, CEO, Gurucul:
“CISA reports a number of vulnerabilities in Bluetooth, and given that it’s a legacy wireless technology, that’s no surprise. The real question is whether or not it can be fixed. Because phones and PCs use Bluetooth extensively, just about everyone is potentially affected by these vulnerabilities.
“If enterprises allow Bluetooth on their networks, it has to be monitored for abnormal activities. Individual users have to be aware of the potential for Bluetooth compromises, but their organizations have to help them. In many cases, organizations can identify unusual Bluetooth activity and let users know that there might be a problem. This is really the only way of identifying and remediating potential attacks against both individual devices and networks in general.”
Bill Lawrence, CISO, SecurityGate.io:
“Vulnerabilities in standard mobile features like Bluetooth that allow devices to seamlessly connect are particularly troubling because of the wide range of manufacturers and an enormous galaxy of mobile devices – don’t forget your car is most likely a BT device. Vulnerabilities, even when there may be patches offered by the builder, will be exploitable for years in any non-patchable devices or a vast number of others that just don’t any electronic fix. On the Bluetooth website itself, it says 2/3 of all cars on the road by 2024 will use BT and they talk about key fob access to cars via smartphone, so this will be a potential vector for tools like BrakTooth. Will there be a massive automotive recall for BT patches? Or could you do it via your smartphone at the same time you patch that?”
Garret Grajek, CEO, YouAttest:
“Braktooth just shows the attackers are in the ‘By any means necessary’ mentality. The attackers are looking for a vulnerability in any of our surface areas - Bluetooth just being a mechanism with the most variants and thus cracks to exploit. The key is to, of course, patch when necessary but also - as the CISA and FBI both recommend - ensuring that the identities that would be compromised in an attack such as this do not contain too much privilege, which can cause damage to the system. This is called the Principle of Least Privilege (NIST 800-53, PR.AC-6) – in which all accounts, such as the Bluetooth service account are checked to see they are not granted too much privilege to overtake the machine and extend attacks into the enterprise. The ‘Principle of Least Privilege’ is done through access controls and vigilant access certifications conducted on a periodic basis.”
Maureen MacGregor shared this information above.
