BlueBorne is a type of
security vulnerability with
Bluetooth implementations in
Android,
iOS,
Linux and
Windows.[1][2][3] It affects many electronic devices such as
laptops,
smart cars,
smartphones and
wearable gadgets. One example is
CVE-
2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.[1][2][4][5][6] According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."[1]
History
The BlueBorne security vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.[1]
Technical Information
The BlueBorne vulnerabilities are a set of 8 separate vulnerabilities.[7] They can be broken down into groups based upon platform and type. There were vulnerabilities found in the Bluetooth code of the Android, iOS, Linux and Windows platforms:[8]
Linux kernel RCE vulnerability - CVE-2017-1000251[9]
Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250[10]
Android information Leak vulnerability - CVE-2017-0785[11]
The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783[14]
The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628[15]
Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315[16]
The vulnerabilities are a mixture of
information leak vulnerabilities,
remote code execution vulnerability or logical flaw vulnerabilities. The Apple iOS vulnerability was a remote code execution vulnerability due to the implementation of LEAP (
Low Energy Audio Protocol). This vulnerability was only present in older versions of the Apple iOS.[17]
Impact
In 2017, BlueBorne was estimated to potentially affect all the 8.2 billion Bluetooth devices worldwide,[1] although they clarify that 5.3 billion Bluetooth devices are at risk.[18] Many devices are affected, including
laptops,
smart cars,
smartphones and
wearable gadgets.[1][2][4][5][6]
In 2018, after one year after the original disclosure, Armis estimated that over 2 billion devices were still vulnerable.[19][20]
Mitigation
Google provides a BlueBorne vulnerability scanner from Armis for
Android.[21]
Procedures[clarification needed] to help protect devices from the BlueBorne security vulnerabilities were reported by September 2017.[22][23][24][needs update]