├── README.mkdn
└── screenshots
├── Screenshot_20170913-044525.png
├── Screenshot_20170913-044553.png
├── Screenshot_20170913-044609.png
├── Screenshot_20170913-044703.png
├── Screenshot_20170913-044726.png
├── Screenshot_20170913-044738.png
├── Screenshot_20170913-044830.png
├── Screenshot_20170913-045028.png
├── Screenshot_20170913-045040.png
├── Screenshot_20170913-045103.png
├── Screenshot_20170913-045157.png
├── Screenshot_20170913-045216.png
├── Screenshot_20170913-045500.png
├── Screenshot_20170913-045513.png
├── Screenshot_20170913-081458.png
├── Screenshot_20170913-081513.png
├── Screenshot_20170913-081520.png
└── Screenshot_20170913-081529.png
/README.mkdn:
--------------------------------------------------------------------------------
1 | # Armis BlueBorne Vulnerability Scanner
2 |
3 | ### Abstract
4 | After disclosing a new Bluetooth-based attack vector, Armis published an Android app that can be used to check if a device is at risk or if the devices around it are at risk. To test this, the [BlueBorne Vulnerability Scanner](https://play.google.com/store/apps/details?id=com.armis.blueborne_detector) was downloaded from Google Play Store and installed on a device emulator.
5 |
6 | Reverse engineering this app shows the local device risk check simply compares the device security patch date to a hardcoded date around the time of disclosure, and the remote (nearby) devices risk check and rating is a shallow consideration of device manufacturer and type.
7 |
8 | ### Introduction
9 | Refer to Armis [resources](https://www.armis.com/blueborne/).
10 |
11 | ### Materials
12 | * adb
13 | * apktool
14 | * d2j-dex2jar
15 | * device emulator
16 | * jd-gui
17 | * Santoku VM
18 |
19 | ### Method
20 | 1. Spin up virtual machine, device emulator, download and install BlueBorne Vuln Scanner app.
21 |
22 | 2. Start com.armis.blueborne_detector.SplashActivity. Select __Tap to Check__:
23 |
24 | 
25 | 
26 |
27 | 4. Wait for result:
28 |
29 | 
30 |
31 | Select __Check Devices Around Me__.
32 |
33 | 5. Coarse location permission is requested. Denying the request stops device scan:
34 |
35 | 
36 | 
37 |
38 | __Try Again__ and allow coarse location.
39 |
40 | 5. Bluetooth permission is requested. Denying the request stops device scan:
41 |
42 | 
43 |
44 |
45 | __Try Again__ and allow Bluetooth to be enabled.
46 |
47 | 6. Wait for result:
48 |
49 | 
50 | 
51 |
52 | 7. Inspect:
53 |
54 | 
55 | 
56 | 
57 |
58 |
59 | ### Results
60 | Since no permissions are declared in the Manifest, no permissions are requested at installation. Runtime permissions for coarse device location and Bluetooth adapter use are requested. Runtime permissions include:
61 | * `android.bluetooth.adapter.action.REQUEST_ENABLE`
62 | * `android.permission.ACCESS_COARSE_LOCATION`
63 |
64 | Android API version is pulled to check device capabilities, e.g.: `Build.VERSION.SDK_INT >= 18`
65 |
66 | System prop `ro.product.model` is pulled to display the local device name.
67 |
68 | Device scans are performed by an instance of the public BluetoothAdapter class. Public methods called include:
69 | * `startDiscovery()` - Starts the remote device discovery process
70 | * `cancelDiscovery()` - Cancels the current device discovery process
71 |
72 | Public methods called on public BluetoothDevice class include:
73 | * `.getName()` - Gets the friendly Bluetooth name of the remote device
74 | * `.getAddress()` - Returns the hardware address of the local BluetoothDevice
75 | * `.getBluetoothClass()` - Gets the Bluetooth class of the remote device
76 | * `.getType()` - Gets the Bluetooth device type of the remote device
77 | * `.getUuids()` - Returns the supported features (UUIDs) of the remote device
78 | * `.fetchUuidsWithSdp()` - Performs a service discovery on the remote device to get the UUIDs supported
79 |
80 | Bluetooth device types include:
81 | * `DEVICE_TYPE_CLASSIC` - Classic - BR/EDR devices
82 | * `DEVICE_TYPE_DUAL` - Dual Mode - BR/EDR/LE
83 | * `DEVICE_TYPE_LE`- Low Energy - LE-only
84 | * `DEVICE_TYPE_UNKNOWN` - Unknown
85 |
86 | Scan results are caught by a broadcast receiver registered with the following intent filters:
87 | * `android.bluetooth.device.action.DISCOVERY_STARTED`
88 | * `android.bluetooth.device.action.DISCOVERY_FINISHED`
89 | * `android.bluetooth.device.action.FOUND`
90 | * `android.bluetooth.device.action.UUID`
91 | * `android.bluetooth.device.action.SDP_RECORD`
92 | * `android.bluetooth.device.extra.SDP_SEARCH_STATUS`
93 |
94 | Local device:
95 | System prop `Build.VERSION.SECURITY_PATCH` or `ro.build.version.security_patch` is pulled then compared to `GregorianCalendar(2017, 8, 1).getTime()`. Local device with a security patch date older than this is considered vulnerable.
96 |
97 | Remote devices:
98 | Device scan is started and remote device attrs are pulled as they are discovered. Remote device address prefix is mapped to a manufacturer name from a static list; e.g., "Apple", "HTC" or "Samsung". Remote device is then classified based on manufacturer name; e.g., "ios", "android" or "tizen". Risk is then rated based on remote device classification:
99 |
100 | Classification|Rating|Label
101 | ---|---|---
102 | "osx"|1|Low
103 | "apple"|1|Low
104 | "ios"|2|Medium
105 | "android"|3|High
106 | "tizen"|3|High
107 | "samsung"|3|High
108 | "pc"|2|Medium
109 | "smartphone"|2|Medium
110 |
111 | Remote device with null or unknown manufacturer is considered low risk. Low Energy device `DEVICE_TYPE_LE` is also considered low risk.
112 |
113 | ### Discussion
114 | Assuming a normal progression though the app, you first check if your device is at risk; it most likely is, since you are checking using an Android app, which likely means you are using an Android device; you are then notified if your device is vulnerable and prompted to check devices around you; importantly, Bluetooth is then enabled (given that runtime permissions are granted), thereby opening your potentially vulnerable device to the attack vector. This brief proximity awareness comes at the cost of making your device __more__ vulnerable than it was before downloading and installing the app.
115 |
116 | Overall, the app is somewhat useful, in the sense that having a machine do something for you is useful; in this case, comparing two dates. Truly this is useful if and only if you do not know where to find one of the dates. Given both dates, it takes less time to compare them yourself than it does to download, install and run the app.
117 |
118 | Its other function--to "scan and locate" nearby devices to check if they too are at risk--is really a conventional Bluetooth device discovery scan that pulls publicly available device attrs for each device discovered, including device manufacturer and type, which are then used to score the device risk on an interval from 1 to 3 based on an array of static values; e.g., a device manufactured by "Google" is always an "android" device which always has a score of 3 (high risk). This also seems relatively useless since it is already plausible to say, "Android devices are at high risk," or, "iOS devices are at risk, but lower." Armis Labs clearly already has.
119 |
120 | But it is a free app designed to help you secure your device, and the local device check can sort of do that. Though it checks the device security patch date against 8/1/2017, and the September security patch is recommended.
121 |
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-044525.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-044525.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-044553.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-044553.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-044609.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-044609.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-044703.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-044703.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-044726.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-044726.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-044738.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-044738.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-044830.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-044830.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-045028.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-045028.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-045040.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-045040.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-045103.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-045103.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-045157.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-045157.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-045216.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-045216.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-045500.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-045500.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-045513.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-045513.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-081458.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-081458.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-081513.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-081513.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-081520.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-081520.png
--------------------------------------------------------------------------------
/screenshots/Screenshot_20170913-081529.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terry2012/BlueBorneVulnScanner/b52916cbe73c67bf0ba2039540e577e20801eacb/screenshots/Screenshot_20170913-081529.png
--------------------------------------------------------------------------------