BlueBorne (security vulnerability)
BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows.[1][2][3] It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.[1][2][4][5][6] According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."[1]
History
The BlueBorne security vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.[1]
Technical Information
The BlueBorne vulnerabilities are a set of 8 separate vulnerabilities.[7] They can be broken down into groups based upon platform and type. There were vulnerabilities found in the Bluetooth code of the Android, iOS, Linux and Windows platforms:[8]
- Linux kernel RCE vulnerability - CVE-2017-1000251[9]
- Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250[10]
- Android information Leak vulnerability - CVE-2017-0785[11]
- Android RCE vulnerability #1 - CVE-2017-0781[12]
- Android RCE vulnerability #2 - CVE-2017-0782[13]
- The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783[14]
- The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628[15]
- Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315[16]
The vulnerabilities are a mixture of information leak vulnerabilities, remote code execution vulnerability or logical flaw vulnerabilities. The Apple iOS vulnerability was a remote code execution vulnerability due to the implementation of LEAP (Low Energy Audio Protocol). This vulnerability was only present in older versions of the Apple iOS.[17]
Impact
In 2017, BlueBorne was estimated to potentially affect all of the 8.2 billion Bluetooth devices worldwide,[1] although they clarify that 5.3 billion Bluetooth devices are at risk.[18] Many devices are affected, including laptops, smart cars, smartphones and wearable gadgets.[1][2][4][5][6]
In 2018, after one year after the original disclosure, Armis estimated that over 2 billion devices were still vulnerable.[19][20]
Mitigation
Google provides a BlueBorne vulnerability scanner from Armis for Android.[21] Procedures to help protect devices from the BlueBorne security vulnerabilities were reported by September 2017.[22][23][24]
References
- Staff (12 September 2017). "The Attack Vector "BlueBorne" Exposes Almost Every Connected Device". Armis.com. Retrieved 5 January 2018.
- Staff (12 September 2017). "BlueBorne - Protecting the Enterprise from BlueBorne" (PDF). Armis.com. Archived from the original (PDF) on 20 December 2017. Retrieved 5 January 2018.
- Biggs, Jpohn (12 September 2017). "New Bluetooth vulnerability can hack a phone in 10 seconds". TechCrunch. Retrieved 5 January 2018.
- Newman, Lily Hay (13 September 2017). "Hey, Turn Bluetooth Off When You're Not Using It". Wired. Retrieved 5 January 2018.
- Hildenbrand, Jerry (16 September 2017). "Let's talk about Blueborne, the latest Bluetooth vulnerability". AndroidCentral.com. Retrieved 5 January 2018.
- Kerner, Sean Michael (12 September 2017). "BlueBorne Bluetooth Flaws Put Billions of Devices at Risk". eWeek. Retrieved 5 January 2018.
- "BlueBorne Whitepaper" (PDF). Archived (PDF) from the original on 5 May 2020.
- "An Analysis of BlueBorne: Bluetooth Security Risks". Decipher. Retrieved 28 July 2021.
- "NVD - CVE-2017-1000251". nvd.nist.gov. Retrieved 28 July 2021.
- "NVD - CVE-2017-1000250". nvd.nist.gov. Retrieved 28 July 2021.
- "NVD - CVE-2017-0785". nvd.nist.gov. Retrieved 28 July 2021.
- "NVD - CVE-2017-0781". nvd.nist.gov. Retrieved 28 July 2021.
- "NVD - CVE-2017-0782". nvd.nist.gov. Retrieved 28 July 2021.
- "NVD - CVE-2017-0783". nvd.nist.gov. Retrieved 28 July 2021.
- "NVD - CVE-2017-8628". nvd.nist.gov. Retrieved 28 July 2021.
- "NVD - CVE-2017-14315". nvd.nist.gov. Retrieved 28 July 2021.
- "What is BlueBorne? An Apple Device FAQ". The Mac Security Blog. 22 September 2017. Retrieved 28 July 2021.
- Smith, Ms (12 September 2017). "5.3 billion devices at risk for invisible, infectious Bluetooth attack". CSO Online. Retrieved 28 July 2021.
- Osborne, Charlie. "Two billion devices still vulnerable to Blueborne flaws a year after discovery". ZDNet. Retrieved 28 July 2021.
- "BlueBorne: One Year Later". Armis. 13 September 2018. Retrieved 28 July 2021.
- Staff (12 September 2017). "BlueBorne Vulnerability Scanner by Armis - 2017". Google. Retrieved 5 January 2018.
- Staff (15 September 2017). "Information on new BlueBorne security vulnerability". Cornell University. Retrieved 5 January 2018.
- Meyer, David (13 September 2017). "How to Check If You're Exposed to Those Scary BlueBorne Bluetooth Flaws". Fortune. Retrieved 5 January 2018.
- Geiger, Erik (20 September 2017). ""BlueBorne" Exposes Millions of Bluetooth Devices". Wisconsin University. Archived from the original on 5 January 2018. Retrieved 5 January 2018.