BlueBorne (security vulnerability) explained

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows.^{[1] [2] [3]} It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is . The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.^{[4] [5] [6]} According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."

History

The BlueBorne security vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.

Technical Information

The BlueBorne vulnerabilities are a set of 8 separate vulnerabilities.^[7] They can be broken down into groups based upon platform and type. There were vulnerabilities found in the Bluetooth code of the Android, iOS, Linux and Windows platforms:^[8]

• Linux kernel RCE vulnerability - CVE-2017-1000251^[9]
• Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250^[10]
• Android information Leak vulnerability - CVE-2017-0785^[11]
• Android RCE vulnerability #1 - CVE-2017-0781^[12]
• Android RCE vulnerability #2 - CVE-2017-0782^[13]
• The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783^[14]
• The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628^[15]
• Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315^[16]

The vulnerabilities are a mixture of information leak vulnerabilities, remote code execution vulnerability or logical flaw vulnerabilities. The Apple iOS vulnerability was a remote code execution vulnerability due to the implementation of LEAP (Low Energy Audio Protocol). This vulnerability was only present in older versions of the Apple iOS.^[17]

Impact

In 2017, BlueBorne was estimated to potentially affect all the 8.2 billion Bluetooth devices worldwide, although they clarify that 5.3 billion Bluetooth devices are at risk.^[18] Many devices are affected, including laptops, smart cars, smartphones and wearable gadgets.

In 2018, after one year after the original disclosure, Armis estimated that over 2 billion devices were still vulnerable.^{[19] [20]}

Mitigation

Google provides a BlueBorne vulnerability scanner from Armis for Android.^[21] Procedures to help protect devices from the BlueBorne security vulnerabilities were reported by September 2017.^{[22] [23] [24]}

Notes and References

1. News: Staff . The Attack Vector "BlueBorne" Exposes Almost Every Connected Device . 12 September 2017 . Armis.com . 5 January 2018 .
2. News: Staff . BlueBorne - Protecting the Enterprise from BlueBorne . 12 September 2017 . Armis.com . 5 January 2018 . 20 December 2017 . https://web.archive.org/web/20171220084324/http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf . dead .
3. Web site: Biggs . Jpohn . New Bluetooth vulnerability can hack a phone in 10 seconds . 12 September 2017 . . 5 January 2018 .
4. Newman . Lily Hay . Hey, Turn Bluetooth Off When You're Not Using It . 13 September 2017 . . 5 January 2018 .
5. Web site: Hildenbrand . Jerry . Let's talk about Blueborne, the latest Bluetooth vulnerability . 16 September 2017 . AndroidCentral.com . 5 January 2018 .
6. Web site: Kerner . Sean Michael . BlueBorne Bluetooth Flaws Put Billions of Devices at Risk . 12 September 2017 . . 5 January 2018 .
7. Web site: BlueBorne Whitepaper. live. https://web.archive.org/web/20200505161458/https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf . 5 May 2020 .
8. Web site: An Analysis of BlueBorne: Bluetooth Security Risks. 2021-07-28. Decipher. en.
9. Web site: NVD - CVE-2017-1000251. 2021-07-28. nvd.nist.gov.
10. Web site: NVD - CVE-2017-1000250. 2021-07-28. nvd.nist.gov.
11. Web site: NVD - CVE-2017-0785. 2021-07-28. nvd.nist.gov.
12. Web site: NVD - CVE-2017-0781. 2021-07-28. nvd.nist.gov.
13. Web site: NVD - CVE-2017-0782. 2021-07-28. nvd.nist.gov.
14. Web site: NVD - CVE-2017-0783. 2021-07-28. nvd.nist.gov.
15. Web site: NVD - CVE-2017-8628. 2021-07-28. nvd.nist.gov.
16. Web site: NVD - CVE-2017-14315. 2021-07-28. nvd.nist.gov.
17. Web site: 2017-09-22. What is BlueBorne? An Apple Device FAQ. 2021-07-28. The Mac Security Blog. en-US.
18. Web site: Smith. Ms. 2017-09-12. 5.3 billion devices at risk for invisible, infectious Bluetooth attack. 2021-07-28. CSO Online. en.
19. Web site: Osborne. Charlie. Two billion devices still vulnerable to Blueborne flaws a year after discovery. 2021-07-28. ZDNet. en.
20. Web site: 2018-09-13. BlueBorne: One Year Later. 2021-07-28. Armis. en-US.
21. Web site: Staff . BlueBorne Vulnerability Scanner by Armis - 2017 . 12 September 2017 . . 5 January 2018 .
22. Web site: Staff . Information on new BlueBorne security vulnerability . 15 September 2017 . . 5 January 2018 .
23. Web site: Meyer . David . How to Check If You're Exposed to Those Scary BlueBorne Bluetooth Flaws . 13 September 2017 . . 5 January 2018 .
24. Web site: Geiger . Erik . "BlueBorne" Exposes Millions of Bluetooth Devices . 20 September 2017 . . 5 January 2018 . 5 January 2018 . https://web.archive.org/web/20180105233711/https://it.wisc.edu/news/blueborne-exposes-millions-bluetooth-devices/ . dead .