Unpatched Macs Face Bluetooth Root Exploit
Security software developer Intego last week issued a press release about a significant proof-of-concept Bluetooth exploit that has been dubbed “Inqtana.d Bluetooth.” This exploit works via a flaw in the Bluetooth short-range wireless networking standard, and could affect only Macs running unpatched versions of Mac OS X 10.3 Panther and Mac OS X 10.4 Tiger (which is why we recommend installing Apple’s security updates!). However, unlike earlier known variants of this exploit, the “D” version requires no user interaction to create an account with root privileges, which can then be accessed via Ethernet or Wi-Fi to carry out any tasks that are allowed by an administrative user – that is, any action whatsoever. The exploit was demonstrated at hack.lu last week, and the code released following that.
If you are running Mac OS X 10.3 Panther, make sure Security Update 2005-005 is installed; it was released in May 2005. Mac OS X 10.4 Tiger users need at least 10.4.7 installed, which was released in June 2006. If affected by the exploit, Mac OS X 10.3 users would be compromised only after a restart; Mac OS X 10.4 users would be compromised immediately.
Intego has a history of trumpeting their curatives for concept viruses and exploits that are either relatively trivial or never seen in the wild. And, according to “KF,” the otherwise unidentified operator of the Digital Munition site that released the exploit code, this “D” variant involves just a minor change – with major effect – to code that was disclosed on 02-Feb-06 by KF to Intego. Intego’s press release says you should have their latest virus definitions to protect against this variant but doesn’t say that earlier virus signatures would be ineffective. I haven’t seen any alerts about this variant from Apple, CERT, or other software developers, which may reflect the assessment of the number of potentially exploitable computers.
However, this is among the most severe attacks ever developed against Mac OS X, and as such, I can’t fault Intego for alerting people to its existence at the same time as they promote their anti-virus software. But while it’s serious, that doesn’t mean it’s actually going to be a problem for anyone. The Wi-Fi patches that Apple released last month (see “AirPort Updates Stop Wi-Fi Exploit,” 25-Sep-06) resolved a problem with equally bad consequences, but Apple stated there was no known exploit code available, and no specific vector, only a general approach for attack.
With Inqtana.d Bluetooth, no user interaction is required, and thus a machine could be quickly and quietly taken over at its fundamental level. Firewall software might prevent remote access to the root account that’s created, but that’s not a guarantee, especially if the attacker were on your local network.
The good news is that virtually all Panther users and most Tiger users that would be at risk could reasonably be expected to have updated their computers with patches that already protect against this exploit. And the vector for exploitation is rather tricky. The code is out there, but I see little likelihood that it will be developed into a simple-to-use package like KisMAC, which is a Wi-Fi vulnerability assessor (or a pre-built cracking engine, depending on your world view).
In order for your machine to be compromised, an attacker must install code to perform the compromise and find locations with Mac users, and those Mac users must have Bluetooth turned on and be out of date on patches by months… or by more than a year! Bluetooth’s short range means that it would be difficult to hack a fixed computer located more than an apartment wall away, and thus mobile Macs would be at the greatest risk.
I imagine most Mac laptop owners are in the universe of people who frequently install patches, too, because they probably expect they’re at greater risk. The odds of actually being hacked in this manner are thus vanishingly small. Even further, once compromised, the attacker needs to be able to access your computer, and, if you’re a mobile user, you would likely have walked away by that point, never to be seen again.
This is just another sign that increasing scrutiny is being paid to Mac OS X by security researchers; it’s not yet proof, however, that virus and worm writers give a darn.