This document discusses airborne cyberattacks and the new threat landscape they enable. It describes the BlueBorne attack, which can spread from device to device via Bluetooth without user interaction. BlueBorne impacts over 5.5 billion devices and was the most serious Bluetooth vulnerability to date. It demonstrates how an attacker could use BlueBorne to take over an Amazon Echo and then access a corporate network. The implications are that devices can now be attacked over the air, moving device-to-device. IoT devices need to be viewed as endpoints, and network infrastructure as unmanaged devices. It recommends that device and network discovery and visibility are critical next steps.
1. SESSION ID:
#RSAC
Nadir Izrael
THE NEW LANDSCAPE OF AIRBORNE
CYBERATTACKS
MBS-W04
CTO & Co-Founder
Armis, Inc.
Ben Seri
Head of Research
Armis, Inc.
7. #RSAC
“Bluetooth’s Stagefright Moment”
• 5.5B+ Devices At Risk
• 2B+ Unpatchable
• 9 Zero-Day Vulnerabilities (4 critical)
• Android, Windows, Linux, and iOS
• Most serious Bluetooth vulnerability to date
• Enables RCE, MiTM, and Info Leaks
7
13. #RSAC
How BlueTooth Pairs
Device 1
(Smart Phone)
Device 2
(Bluetooth Speakers)
• Bluetooth is “on” and
discoverable
• User must find and
proactively “pair” to the
device
• Some authentication or
PIN to connect
Speakers
Connect
Bluetooth
Connected
• Devices exchange keys,
and auto connect without
discoverable mode
13
14. #RSAC
Bluetooth
How BlueBorne Works
14
Attacker
(Laptop)
Target
(Smart Phone)
• Bluetooth is “on”
• Attacker gets the MAC
address
Bluetooth
• Attacker initiates Bluetooth
and attacks via using a
BlueBorne vulnerability
• No user interaction required
• No pairing
• No approval
RCE
MiTM
00:2b:09:6f:2b:01
• Attacker can take over, create
MiTM, get encryption keys, etc.
17. #RSAC
Info Leak (To Desktop)
17
Attacker
(Laptop)
Target
(Keyboard)
Linux PC
• User connected to Linux desktop Attacker uses info leak to get encryption keys of the keyboard
• Attacker intercepts keystrokes without running code or doing MiTM
• Attacker can also inject keystrokes to the targeted device
25. #RSAC
The True RCE Vulnerability Ratio
25
1
per year
2-3
per year
100
per year
Traditional Desktop Mobile Network Infrastructure
True Remote Code Execution Vulnerabilities
every year
IoT
27. #RSAC
Infrastructure Is Becoming an Easy Target
27
• Lack mitigation techniques that are standard in endpoints
• These are similar to all IoT devices
• Updates to these systems are almost never automated
• Public exploits for devices are easy to develop and use
30. #RSAC
BlueBorne Attack
30
Attacker Laptop Amazon Echo Corporate Server
InfrastructureInternet
1
2
5
43
IoT device attacked
• Amazon Echo taken over via
BlueBorne
Echo controlled via Internet
• Attacker moves control of Echo to the
Internet
• Bluetooth no longer used
• Amazon Echo is used as a relay
• Attacker accesses confidential information
• Can actively interact with other devices
• Data exfiltrated over the internet
connection
1
2
4
5
Confidential data accessed
Data passed via Internet
3 Network Infrastructure is compromised
• Via the Echo, attacker compromises
the Network Infrastructure
• Attack breaks segmentation
• Guest and Corporate are irrelevant
31. #RSAC
Meet the New Endpoint
31
Designed
To Connect
Hard to
Update
No
Security
Hard to
Discover
Billions
of Devices
Many
Manufacturers
33. #RSAC
The Implications
33
Item Implication
Airborne Attacks
• Devices being attack over the air
• Out of the traditional kill chain
• Moving device-to-device
IoT Devices
• Needs to be seen as an endpoint
• Gateway to your critical data and systems
Network Infrastructure
• Need to view as unmanaged devices
• Segmentation is exposed and can be broken