Bluetooth attack reveals potential IoT security threat

A Bluetooth exploit that gathers device information may be the tip of an iceberg that threatens, among others, IoT and IIoT.
14 May 2019

Is Bluetooth the new wifi when it comes to malware? Source: Shutterstock

A Korean-speaking hacking group known as ScarCruft is behind a deal of work on Bluetooth device compromise that threatens to bring into question the possible security future of Internet of Things (IoT).

In a post published on Monday by Kaspersky Lab, a piece of malware associated with the group was described as:

“[…] responsible for stealing Bluetooth-device information. It is fetched by a downloader and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information:

Instance Name: Name of device

Address: Address of device

Class: Class of the device

Connected: Whether the device is connected (true or false)

Authenticated: Whether the device is authenticated (true or false)

Remembered: Whether the device is a remembered device (true or false).”

While those pieces of information may not be particularly sensitive in most contexts, the ability of groups to exploit Bluetooth protocols is seen as alarming in cybersecurity circles, as many IoT and IIoT deployments make use of the technology, which lacks a centralized security framework with which to protect itself.

In the past, there have been announcements of Bluetooth security issues, such as this one, which allowed the interception of handshake traffic between devices during the pairing process.

Unpatched older versions of Bluetooth are common in the wild, with legacy apps and services in mobiles, desktop computers and in industrial settings reliant on older versions of the protocol (version 5-compatible devices are just starting to emerge, with version 4 still held to be most secure). In that situation, patches and updates tend not to be applied as doing so would “break” these apps and services, which may be important or even business-critical.

The ScarCruft group, which has been identified in the past with the DarkHotel hacking group, is thought to have more political than economic motives. Its activities in recent times have suggested links to North Korea, with investment and trading companies targeted (from Vietnam and Russia) known to have trade interests in North Korea.

The security piece from Kaspersky concludes:

“[…] ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruft recent activities, we strongly believe that this group is likely to continue to evolve.”

With hackers’ interest in Bluetooth apparently growing and the massively-expanding IoT sector, the combination may well cause security companies more headaches in the future. For insight into the inherent security flaws (or more strictly, potential flaws) in Bluetooth, click here.