Bluetooth is widely implemented in billions of devices, and nearly all of those devices need to be patched for a new set of Bluetooth vulnerabilities dubbed BlueBorne.
The BlueBorne vulnerabilities were discovered by internet of things (IoT) security firm Armis, which first responsibly reported the flaws to the impacted vendors, including Google, Microsoft and the Linux community. There is no indication to date that the BlueBorne vulnerabilities have been exploited in the wild by attackers.
“BlueBorne is a series of vulnerabilities that we found to enable an airborne attack vector,” Nadir Izrael, co-founder and CTO of Armis, told eWEEK. “The vulnerabilities permeate all the major stacks on devices, and given Bluetooth’s popularity we estimate there to be 5.3 billion vulnerable devices.”
Microsoft silently delivered patches for the BlueBorne issues as part of its July Patch Tuesday update.
“Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically,” Microsoft stated. “We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”
Patches for the issues discovered by Armis are set to be made available today by Google and Linux vendors to help mitigate the risk.
The eight vulnerabilities include a Linux kernel RCE vulnerability (CVE-2017-1000251), Linux Bluetooth stack (BlueZ) information Leak vulnerability (CVE-2017-1000250), Android information Leak vulnerability (CVE-2017-0785), Android Remote Code Execution vulnerabilities (CVE-2017-0781 and CVE-2017-0782), The Bluetooth Pineapple in Android – Logical Flaw (CVE-2017-0783) and Bluetooth Pineapple in Windows – Logical Flaw (CVE-2017-8628).
The eighth flaw is a Remote Code Execution vulnerability in Apple’s Low Energy Audio Protocol that currently does not yet have a CVE number assigned.
Izrael explained that the vulnerabilities enable an attacker to take over a device, as well as use a device to spread malware across other devices. Of note, Armis’ research has found that Bluetooth just has to be open for an attack to be successful.
Armis is in the business of helping to secure internet of things (IoT) devices. The company emerged from stealth mode on June 6 with its security platform and $17 million in funding.
“We found the BlueBorne vulnerabilities somewhat by accident while we were doing research on wireless security,” Izrael said.
Bluetooth security risks are not a new thing, though most past attacks have involved misconfiguration or the lack of PIN authentication to secure a Bluetooth connection.
“What we found are vulnerabilities in the Bluetooth stacks and the flaws don’t rely on authentication or PIN code misuse,” Ben Seri, head of research at Armis, told eWEEK. “The vulnerabilities are at the very core of the Bluetooth stacks, so once a connection is started, a remote code execution, or a man-in-the middle attack, is possible.”
Remediation
Seri explained that there are several areas in the Bluetooth protocol specifications that might have resulted in the various vendors ending up with similar flaws.
“We basically found one bug on one stack and then found the same bugs across multiple different devices,” Izrael said. “The fact that all vendors have the same flaws does seem to indicate that there is need for further tightening in how the Bluetooth protocol is implemented.”
Seri added that in his view over the last decade the research community has not spent a lot of time looking at Bluetooth flaws. His hope is that now, with BlueBorne, there will more Bluetooth security scrutiny.
“I hope our efforts with BlueBorne help other researchers examining Bluetooth implementations see what potential issues need to be looked at,” Seri said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.