Critical Vulnerability Affects Bluetooth-Enabled Cameras

A newly discovered vulnerability in the 4.x Bluetooth wireless standard has been shown to affect cameras that implement full remote control functionality. Demonstrated as viable in proof-of-concept laboratory testing, researchers believe that the exploit has the potential to either physically damage cameras or render them inoperable.

The Bluetooth standard is a wireless technology for data exchange over short distances. While there is some overlap to the Wi-Fi standard, the latter is intended for networking devices while Bluetooth was originally envisaged to replace the connection cable between a computer and a peripheral device. For this reason, Bluetooth is point-to-point, tends to operate over short range and is low power; implementation is also intended to be low cost.

Version 1 of the Bluetooth standard dates to 1999, however it has undergone several iterations over its lifetime to the current version 5 status. These iterations have in part been intended to fix problems from the first release that resulted in interoperability and connectivity problems (something familiar to camera users), as well as the addition of new features.

In particular, researchers in the Department of Electrical Engineering at the Berlin Technical Institute (BTI) have focused upon the Bluetooth 4.1 specification which introduced new mobile wireless service coexistence signaling to minimize interference, accelerate initial handshaking, and allow hand-off between different Bluetooth services connected to a device.

It is the last of these three adaptations that is open to exploitation on older devices running open source device drivers. Dr. Per Müller at BTI notes that “in an unpatched environment we [can] demonstrate a break in the chain of authentication which allows the execution of unsigned code on the remote device.”

His laboratory has demonstrated the ability to either partially or fully over-write the firmware in a remotely connected camera, altering its functionality or rendering it inoperable.

An attacker could render your Bluetooth-enabled camera inoperable.

The exploit has only been demonstrated in an experimental environment and requires a specific suite of conditions in order to occur. Specifically, older camera firmware that has implemented open source Bluetooth drivers adhering to the 4.1 standard, in combination with a device (PC, smartphone, or tablet) that is also running an open source driver stack at 4.0, 4.2, or 4.2.

Dr Müller said that affected camera manufacturers had been informed of the exploit and that updated firmware had already been released by some in order to address the issue. He was unable to confirm which manufacturers had been affected as this could allow cyber criminals to reverse engineer the exploit, however he advised that, as a matter of course, camera firmware should be updated if available. Additionally, keeping smartphones on the latest manufacturer software update would also help mitigate the problem.

Cameras appear to be the latest target in a range of “Internet of Things” malware attacks that have also included garage doors, fridges, security cameras, and alarm systems. Perhaps the most destructive malware are “brickers”, such as Silex, which deletes system software before rebooting it.


Update: Happy April Fools’ Day!

Discussion