Citrix Blogs

Blueborne: Protect Endpoints from Bluetooth Vulnerabilities with XenMobile

On Sept. 12, Armis labs disclosed that they have identified 8 new vulnerabilities in Bluetooth potentially exposing any Bluetooth-enabled device including Android, Windows, Linux, iOS and various IoT devices to attack. These attacks could range from remotely switching on cameras for pictures and videos, turning on microphones, to stealing credentials by MITM (Man-In-The-Middle) attacks, etc.

More than 8 billion Bluetooth-enabled devices are at risk. This pretty much includes every “smart” device: from your smartphone, smart watch, smart TV to connected-home. The scary part is that an attack does not require any user interaction, if your Bluetooth is switched on, you are a potential victim of eavesdropping and identity theft.

These Bluetooth vulnerabilities can potentially allow hackers to do one or more of the following depending on the platform, OS version etc.:

How is BlueBorne different:

The security industry has traditionally focused on network-based attacks and largely ignored the complex protocols that govern Bluetooth. For hackers, it is a potential gold mine as Bluetooth enjoys very high-privileges on devices and requires very little interaction from the end user. The BlueBorne attack is different in many ways than a typical cyber-attack. Here are some of the key differences:

Here is the information on all security bulletins:

How can Citrix XenMobile help?

While Armis Labs identified the vulnerabilities in April 2017 and worked with major device manufacturers to issue a fix, Citrix XenMobile, a comprehensive Unified Endpoint Management (UEM) solution for securely managing all of your endpoints ranging from iOS, Android, Windows, Mac to ruggedized and IoT devices, can provide security protections to your users and your organization. Using XenMobile, you can take preventive measures to fend off attackers against BlueBorne attacks by enforcing MDM policies on the device and effectively reducing the attack surface.

XenMobile Secure apps mitigate risk from BlueBorne attacks

As long as you have a device passcode setup and Secure hub PIN configured, the XenMobile App container is not susceptible to Blueborne attack. XenMobile app container, MDX, uses its own software applied data encryption using FIPS compliant algorithms, 256 bits keys, 256 bit salts and IVs, and a device salt. The primary keys are held on the device, but encrypted by a PBKDF2 hash of passcode with 10K or more iterations. As long as the user’s PIN/passcode is not compromised, it will be not easy to attack the encryption other than by brute force. With salts and other factors we use to encrypt keys and data itself, a brute-force attack would be very hard to accomplish.

OS updates

The latest Android, Windows, Mac OS and Android OS updates have security patches built in for BlueBorne vulnerabilities. However, not all devices are up-to-date with the latest releases, which puts them at risk. XenMobile can help you push OS updates in the following manner:

Disabling Bluetooth

Even if we patch all the eligible devices with security updates, not all devices are setup for receiving over the air zero-day OS updates. A lot of Android devices do not even get over the air OS updates directly from Google. The OS updates to these devices are relayed via cellular network providers which typically push down customized packages and run a few months late. XenMobile can help you secure such endpoints by disabling Bluetooth on those devices until the time all end points are patched and secured. Here is how you do that for various platforms and device types:

Android

Using XenMobile’s granular deployment controls, we are able to push restriction policies to a subset of devices and not affect all devices on that platform. Here is how you would setup a Bluetooth disable policy say only for Samsung devices. I have set two conditions:

iOS

Devices with iOS 10 and above are not vulnerable to BlueBorne. However, should you choose to disable Bluetooth on them, XenMobile can help you do that. The devices need to be in supervised mode.

Windows Phone

XenMobile can help you disable Bluetooth on Windows Phones.

Windows Desktop

XenMobile can help you disable Bluetooth discovery of Windows desktops.

Blacklisting use of Sensitive applications

Patching OS updates and disabling Bluetooth on unpatched devices would reduce the attack surface area. However, there is always a risk that some devices would still remain at risk either because they are not eligible for OS updates, OS updates are not provided by OEMs yet or Bluetooth cannot be disabled due to lack of MDM APIs for that device model. For that small subset of devices, we recommend Blacklisting of sensitive applications such as Salesforce1, Workday etc. Using XenMobile, you can setup automated actions for removing such sensitive applications on the device.

Other XenMobile security capabilities and best practices to reduce the attack surface:

Summary

Armis labs believes there are more Bluetooth vulnerabilities yet to be discovered and weaponized. We at Citrix believe that whether it is Blueborne, or another major threat like WannaCry, the bottom line is that many future attacks are going to be even more sophisticated and we all need to be prepared with a response plan. Protecting endpoints is an essential part of business continuity, underlining the imperative need for a UEM solution to be in place.

Citrix XenMobile is committed to providing secure access to your apps and data without comprising the user experience and privacy. We will continue to add support for additional capabilities on various OS platforms.

We encourage you to read more about XenMobile security in our XenMobile Security Whitepaper and Citrix’s take on how to deal with ransomware.

Stay tuned, stay watchful and stay safe.


Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know! tech-content-feedback@citrix.com

Exit mobile version