Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    BlueBorne Bluetooth Flaws Put Billions of Devices at Risk

    By
    Sean Michael Kerner
    -
    September 12, 2017
    Share
    Facebook
    Twitter
    Linkedin
      BlueBorne

      Bluetooth is widely implemented in billions of devices, and nearly all of those devices need to be patched for a new set of Bluetooth vulnerabilities dubbed BlueBorne.

      The BlueBorne vulnerabilities were discovered by internet of things (IoT) security firm Armis, which first responsibly reported the flaws to the impacted vendors, including Google, Microsoft and the Linux community. There is no indication to date that the BlueBorne vulnerabilities have been exploited in the wild by attackers.

      “BlueBorne is a series of vulnerabilities that we found to enable an airborne attack vector,” Nadir Izrael, co-founder and CTO of Armis, told eWEEK. “The vulnerabilities permeate all the major stacks on devices, and given Bluetooth’s popularity we estimate there to be 5.3 billion vulnerable devices.”

      Microsoft silently delivered patches for the BlueBorne issues as part of its July Patch Tuesday update.

      “Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically,” Microsoft stated. “We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

      Patches for the issues discovered by Armis are set to be made available today by Google and Linux vendors to help mitigate the risk.

      The eight vulnerabilities include a Linux kernel RCE vulnerability (CVE-2017-1000251), Linux Bluetooth stack (BlueZ) information Leak vulnerability (CVE-2017-1000250), Android information Leak vulnerability (CVE-2017-0785), Android Remote Code Execution vulnerabilities (CVE-2017-0781 and CVE-2017-0782), The Bluetooth Pineapple in Android – Logical Flaw (CVE-2017-0783) and Bluetooth Pineapple in Windows – Logical Flaw (CVE-2017-8628).

      The eighth flaw is a Remote Code Execution vulnerability in Apple’s Low Energy Audio Protocol that currently does not yet have a CVE number assigned.

      Izrael explained that the vulnerabilities enable an attacker to take over a device, as well as use a device to spread malware across other devices. Of note, Armis’ research has found that Bluetooth just has to be open for an attack to be successful. 

      Armis is in the business of helping to secure internet of things (IoT) devices. The company emerged from stealth mode on June 6 with its security platform and $17 million in funding.

      “We found the BlueBorne vulnerabilities somewhat by accident while we were doing research on wireless security,” Izrael said.

      Bluetooth security risks are not a new thing, though most past attacks have involved misconfiguration or the lack of PIN authentication to secure a Bluetooth connection.

      “What we found are vulnerabilities in the Bluetooth stacks and the flaws don’t rely on authentication or PIN code misuse,” Ben Seri, head of research at Armis, told eWEEK. “The vulnerabilities are at the very core of the Bluetooth stacks, so once a connection is started, a remote code execution, or a man-in-the middle attack, is possible.”

      Remediation

      Seri explained that there are several areas in the Bluetooth protocol specifications that might have resulted in the various vendors ending up with similar flaws.

      “We basically found one bug on one stack and then found the same bugs across multiple different devices,” Izrael said. “The fact that all vendors have the same flaws does seem to indicate that there is need for further tightening in how the Bluetooth protocol is implemented.”

      Seri added that in his view over the last decade the research community has not spent a lot of time looking at Bluetooth flaws. His hope is that now, with BlueBorne, there will more Bluetooth security scrutiny.

      “I hope our efforts with BlueBorne help other researchers examining Bluetooth implementations see what potential issues need to be looked at,” Seri said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×