Bluetooth Security Issue – BlueBorne

Sep - 14 2017 | By

Armis a security company has found an issue in Bluetooth that easily affects 5.3 Billion devices running Windows, Linux, iOS, and Android.  It is called BlueBorne.  BlueBorne does not require any interaction from the user to click a URL, to download a file or even pair to a Bluetooth device.  If Bluetooth is turned on in the device, it can be infected with Malware completely undetectable by the user. Any device infected with BlueBorne can look for other Bluetooth devices to infect.  With the method of attack it is not possible to be detected or killed due to how Bluetooth is designed.  Bluetooth by design is able to cover about 33 feet from the device, so being within 33 feet of an infected device could infect a device that does not have BlueBorne.

This attack is possible due to a collection of eight zero-day vulnerabilities which allow hackers to leverage the Bluetooth technology to take complete control of a device, like a computer, smartphone, smartwatch, fitness tracker, mouse, keyboard, touchpad, iOT device, speakers, AI devices like Google Home, Alexa and many more devices that have Bluetooth Technology.  A zero-day vulnerability is one that has not been seen before and is a completely new form of attack.

Microsoft Windows – has been patched since July 11

Apple – has no vulnerabilities in its current and supported versions of iOS and Mac OS

Android – Google has released a public security update for the issue on September 4, Android phone vendors now need to take that update and prepare it for their devices and then get that to their users

Samsung – has yet to release any fixes or to respond to the problem

Linux – each Linux vendor has been working to release patches for their supported versions of Linux since September 12, none released at this time.

 

Video about this issue from Armis – https://www.youtube.com/watch?v=LLNtZKpL0P8

The entire article from Armis – https://www.armis.com/blueborne/

Michael Spice can help with questions or assistance in this any many other security issues.  Please review the known affected devices listed below.

Devices that are known to be affected

Android

All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).

Examples of impacted devices:

  • Google Pixel
  • Samsung Galaxy
  • Samsung Galaxy Tab
  • LG Watch Sport
  • Pumpkin Car Audio System

Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin on September 4, 2017. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level,

Note to Android users: To check if your device is at risk or is the devices around you are at risk, download the Armis BlueBorne Scanner App on Google Play.

Windows
All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628).

Microsoft issued has security patches to all supported Windows versions on July 11, 2017, with coordinated notification on Tuesday, September 12. We recommend that Windows users should check with the Microsoft release here for the latest information.

Linux
Linux is the underlying operating system for a wide range of devices. The most commercial, and consumer-oriented platform based on Linux is the Tizen OS.

  • All Linux devices running BlueZ are affected by the information leak vulnerability (CVE-2017-1000250).
  • All Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (CVE-2017-1000251).

Examples of impacted devices:

  • Samsung Gear S3 (Smartwatch)
  • Samsung Smart TVs
  • Samsung Family Hub (Smart refrigerator)

iOS
All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.

If you are concerned that your device may not be patched, we recommend disabling Bluetooth, and minimizing its use until you can confirm a patch is issued and installed on your device.