BlueBorne (security vulnerability)

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows.[1][2][3] It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.[1][2][4][5][6] According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."[1]

History

edit

The BlueBorne security vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.[1]

Technical Information

edit

The BlueBorne vulnerabilities are a set of 8 separate vulnerabilities.[7] They can be broken down into groups based upon platform and type. There were vulnerabilities found in the Bluetooth code of the Android, iOS, Linux and Windows platforms:[8]

  • Linux kernel RCE vulnerability - CVE-2017-1000251[9]
  • Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250[10]
  • Android information Leak vulnerability - CVE-2017-0785[11]
  • Android RCE vulnerability #1 - CVE-2017-0781[12]
  • Android RCE vulnerability #2 - CVE-2017-0782[13]
  • The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783[14]
  • The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628[15]
  • Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315[16]

The vulnerabilities are a mixture of information leak vulnerabilities, remote code execution vulnerability or logical flaw vulnerabilities. The Apple iOS vulnerability was a remote code execution vulnerability due to the implementation of LEAP (Low Energy Audio Protocol). This vulnerability was only present in older versions of the Apple iOS.[17]

Impact

edit

In 2017, BlueBorne was estimated to potentially affect all the 8.2 billion Bluetooth devices worldwide,[1] although they clarify that 5.3 billion Bluetooth devices are at risk.[18] Many devices are affected, including laptops, smart cars, smartphones and wearable gadgets.[1][2][4][5][6]

In 2018, after one year after the original disclosure, Armis estimated that over 2 billion devices were still vulnerable.[19][20]

Mitigation

edit

Google provides a BlueBorne vulnerability scanner from Armis for Android.[21] Procedures[clarification needed] to help protect devices from the BlueBorne security vulnerabilities were reported by September 2017.[22][23][24][needs update]

References

edit
  1. ^ a b c d e f Staff (12 September 2017). "The Attack Vector "BlueBorne" Exposes Almost Every Connected Device". Armis.com. Retrieved 5 January 2018.
  2. ^ a b c Staff (12 September 2017). "BlueBorne - Protecting the Enterprise from BlueBorne" (PDF). Armis.com. Archived from the original (PDF) on 20 December 2017. Retrieved 5 January 2018.
  3. ^ Biggs, Jpohn (12 September 2017). "New Bluetooth vulnerability can hack a phone in 10 seconds". TechCrunch. Retrieved 5 January 2018.
  4. ^ a b Newman, Lily Hay (13 September 2017). "Hey, Turn Bluetooth Off When You're Not Using It". Wired. Retrieved 5 January 2018.
  5. ^ a b Hildenbrand, Jerry (16 September 2017). "Let's talk about Blueborne, the latest Bluetooth vulnerability". AndroidCentral.com. Retrieved 5 January 2018.
  6. ^ a b Kerner, Sean Michael (12 September 2017). "BlueBorne Bluetooth Flaws Put Billions of Devices at Risk". eWeek. Retrieved 5 January 2018.
  7. ^ "BlueBorne Whitepaper" (PDF). Archived (PDF) from the original on 5 May 2020.
  8. ^ "An Analysis of BlueBorne: Bluetooth Security Risks". Decipher. Retrieved 28 July 2021.
  9. ^ "NVD - CVE-2017-1000251". nvd.nist.gov. Retrieved 28 July 2021.
  10. ^ "NVD - CVE-2017-1000250". nvd.nist.gov. Retrieved 28 July 2021.
  11. ^ "NVD - CVE-2017-0785". nvd.nist.gov. Retrieved 28 July 2021.
  12. ^ "NVD - CVE-2017-0781". nvd.nist.gov. Retrieved 28 July 2021.
  13. ^ "NVD - CVE-2017-0782". nvd.nist.gov. Retrieved 28 July 2021.
  14. ^ "NVD - CVE-2017-0783". nvd.nist.gov. Retrieved 28 July 2021.
  15. ^ "NVD - CVE-2017-8628". nvd.nist.gov. Retrieved 28 July 2021.
  16. ^ "NVD - CVE-2017-14315". nvd.nist.gov. Retrieved 28 July 2021.
  17. ^ "What is BlueBorne? An Apple Device FAQ". The Mac Security Blog. 22 September 2017. Retrieved 28 July 2021.
  18. ^ Smith, Ms (12 September 2017). "5.3 billion devices at risk for invisible, infectious Bluetooth attack". CSO Online. Retrieved 28 July 2021.
  19. ^ Osborne, Charlie. "Two billion devices still vulnerable to Blueborne flaws a year after discovery". ZDNet. Retrieved 28 July 2021.
  20. ^ "BlueBorne: One Year Later". Armis. 13 September 2018. Retrieved 28 July 2021.
  21. ^ Staff (12 September 2017). "BlueBorne Vulnerability Scanner by Armis - 2017". Google. Retrieved 5 January 2018.
  22. ^ Staff (15 September 2017). "Information on new BlueBorne security vulnerability". Cornell University. Retrieved 5 January 2018.
  23. ^ Meyer, David (13 September 2017). "How to Check If You're Exposed to Those Scary BlueBorne Bluetooth Flaws". Fortune. Retrieved 5 January 2018.
  24. ^ Geiger, Erik (20 September 2017). ""BlueBorne" Exposes Millions of Bluetooth Devices". Wisconsin University. Archived from the original on 5 January 2018. Retrieved 5 January 2018.
edit