On Sept. 12, Armis labs disclosed that they have identified 8 new vulnerabilities in Bluetooth potentially exposing any Bluetooth-enabled device including Android, Windows, Linux, iOS and various IoT devices to attack. These attacks could range from remotely switching on cameras for pictures and videos, turning on microphones, to stealing credentials by MITM (Man-In-The-Middle) attacks, etc.
These Bluetooth vulnerabilities can potentially allow hackers to do one or more of the following depending on the platform, OS version etc.:
- Take full control of the device remotely
- Route all traffic through a malicious proxy by reconfiguring IP routing
- Leak Bluetooth encryption keys
- Memory corruption
- Remote code execution
How is BlueBorne different:
The security industry has traditionally focused on network-based attacks and largely ignored the complex protocols that govern Bluetooth. For hackers, it is a potential gold mine as Bluetooth enjoys very high-privileges on devices and requires very little interaction from the end user. The BlueBorne attack is different in many ways than a typical cyber-attack. Here are some of the key differences:
- Blueborne does not require a network to spread. BlueBorne spreads locally over the air via Bluetooth and requires no connection to a network however secure it may be.
- Blueborne does not require user input to click on a link or download a malicious file
- BlueBorne also does not require pairing of Bluetooth. If Bluetooth is enabled, a hacker can exploit the vulnerabilities on your device and launch an attack without user interaction.
- An infected device can potentially spread the virus by simply being in proximity of another device with Bluetooth switched ON.
Here is the information on all security bulletins:
- Google Security Bulletin
- Microsoft Security patches
- Linux patches for leak vulnerability and remote code execution.
How can Citrix XenMobile help?
While Armis Labs identified the vulnerabilities in April 2017 and worked with major device manufacturers to issue a fix, Citrix XenMobile, a comprehensive Unified Endpoint Management (UEM) solution for securely managing all of your endpoints ranging from iOS, Android, Windows, Mac to ruggedized and IoT devices, can provide security protections to your users and your organization. Using XenMobile, you can take preventive measures to fend off attackers against BlueBorne attacks by enforcing MDM policies on the device and effectively reducing the attack surface.
XenMobile Secure apps mitigate risk from BlueBorne attacks
As long as you have a device passcode setup and Secure hub PIN configured, the XenMobile App container is not susceptible to Blueborne attack. XenMobile app container, MDX, uses its own software applied data encryption using FIPS compliant algorithms, 256 bits keys, 256 bit salts and IVs, and a device salt. The primary keys are held on the device, but encrypted by a PBKDF2 hash of passcode with 10K or more iterations. As long as the user’s PIN/passcode is not compromised, it will be not easy to attack the encryption other than by brute force. With salts and other factors we use to encrypt keys and data itself, a brute-force attack would be very hard to accomplish.
OS updates
The latest Android, Windows, Mac OS and Android OS updates have security patches built in for BlueBorne vulnerabilities. However, not all devices are up-to-date with the latest releases, which puts them at risk. XenMobile can help you push OS updates in the following manner:
- Control OS updates on DEP-enabled and XenMobile-managed iOS devices: XenMobile admins can use MDM policies on iOS devices to download and update the OS on the devices without end-user interaction. This will ensure a periodic check on OS and an up-to-date fleet of secure iOS devices.
- On macOS devices, you can now deploy OS updates. This requires device supervision or DEP (Device Enrollment Program).
- Google Pixel and Nexus devices are already setup to receive auto OS updates. XenMobile recommends its customers to obtain the latest OS update from their OEMs.
- Update Samsung devices with Samsung KNOX 2.7.1 and above using XenMobile. Samsung E-FOTA service can be leveraged via XenMobile to push OS updates without any user interaction.
- Setup compliance policies and automated actions for devices not on the latest OS update: Using XenMobile automated actions, an admin can setup polices ranging from notifications to blocking emails and access to corporate resources for out of compliance devices.
- XenMobile will be shortly adding capabilities for Automated Windows OS updates over the air. Devices would need to be MDM managed.
Disabling Bluetooth
Even if we patch all the eligible devices with security updates, not all devices are setup for receiving over the air zero-day OS updates. A lot of Android devices do not even get over the air OS updates directly from Google. The OS updates to these devices are relayed via cellular network providers which typically push down customized packages and run a few months late. XenMobile can help you secure such endpoints by disabling Bluetooth on those devices until the time all end points are patched and secured. Here is how you do that for various platforms and device types:
Android
Using XenMobile’s granular deployment controls, we are able to push restriction policies to a subset of devices and not affect all devices on that platform. Here is how you would setup a Bluetooth disable policy say only for Samsung devices. I have set two conditions:
- The devices have to be corporate owned to honor the user privacy and,
- The device OS is below the required OS update with security patch
iOS
Devices with iOS 10 and above are not vulnerable to BlueBorne. However, should you choose to disable Bluetooth on them, XenMobile can help you do that. The devices need to be in supervised mode.
Windows Phone
XenMobile can help you disable Bluetooth on Windows Phones.
Windows Desktop
XenMobile can help you disable Bluetooth discovery of Windows desktops.
Blacklisting use of Sensitive applications
Patching OS updates and disabling Bluetooth on unpatched devices would reduce the attack surface area. However, there is always a risk that some devices would still remain at risk either because they are not eligible for OS updates, OS updates are not provided by OEMs yet or Bluetooth cannot be disabled due to lack of MDM APIs for that device model. For that small subset of devices, we recommend Blacklisting of sensitive applications such as Salesforce1, Workday etc. Using XenMobile, you can setup automated actions for removing such sensitive applications on the device.
Other XenMobile security capabilities and best practices to reduce the attack surface:
- XenMobile UEM supports configuration of Windows Defender over the air using MDM policies. We recommend our customers enable Windows defender on Windows devices.
- XenMobile supports smart access that provides conditional access to Citrix Workspace on mobile endpoints. This includes access to mobile, web, SaaS and virtual apps with mobile SSO. Using smart access, an out of compliance device’s access to any app can be revoked and automatically later restored when the device is remediated.
- Migrate to XenMobile cloud and get access to the latest security policies and support for new MDM APIs as they become available.
Summary
Armis labs believes there are more Bluetooth vulnerabilities yet to be discovered and weaponized. We at Citrix believe that whether it is Blueborne, or another major threat like WannaCry, the bottom line is that many future attacks are going to be even more sophisticated and we all need to be prepared with a response plan. Protecting endpoints is an essential part of business continuity, underlining the imperative need for a UEM solution to be in place.
Citrix XenMobile is committed to providing secure access to your apps and data without comprising the user experience and privacy. We will continue to add support for additional capabilities on various OS platforms.
We encourage you to read more about XenMobile security in our XenMobile Security Whitepaper and Citrix’s take on how to deal with ransomware.
Stay tuned, stay watchful and stay safe.
Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Click here for more TechBytes and subscribe.
Want specific TechBytes? Let us know! tech-content-feedback@citrix.com