Security researchers from Armis Labs recently published a whitepaper unveiling eight critical 0-day Bluetooth-related vulnerabilities, affecting Linux, Windows, Android and iOS operating systems. These vulnerabilities alone or combined can lead to privileged code execution on a target device. The only requirement is: Bluetooth turned on. No user interaction is necessary to successfully exploit the flaws, the attacker does not need to pair with a target device nor the target device must be paired with some other device.
The research paper, dubbed BlueBorne (what’s a vulnerability, or a bunch, without a cool name nowadays?), details each vulnerability and how it was exploited. BlueBorne is estimated to affect over five billion devices. Some vendors, like Microsoft, have already issued a patch while others, like Samsung, remain silent. Despite the patches, some devices will never receive a BlueBorne patch since they are outside of their support window. Armis estimates this accounts for around 40% of all Bluetooth enabled devices.
A self-replicating worm that would spread and hop from a device to other nearby devices with Bluetooth turned on was mentioned by the researchers as something that could be done with some more work. That immediately reminds us of the BroadPwn vulnerability, in which the researchers implemented what is most likely the first WiFi only worm. Although it is definitely a fun security exercise to code such worm, it’s really a bad, bad idea… Right?…
So who’s affected?
It is difficult to provide a comprehensive list of all affected devices. All unpatched Windows systems from Vista and up: Microsoft secretly released patches in July for CVE-2017-8628. All Linux devices running BlueZ are affected by an information leak and all Linux devices running kernel version 3.3-rc1and up (released in October 2011) are affected by a remote code execution flaw. All Android phones, tablets, and wearables of all versions are affected, except for those which use only Bluetooth Low Energy. Google patches were issued in the September Android Security Bulletin. iPhones, iPads and iPods devices running iOS 9.3.5 and lower and AppleTV devices with version 7.2.2 and lower are affected. Linux-based OSes are likely to be affected, for instance Samsung Tizen OS. I know my Samsung Galaxy S8 is, or so the Android app that the researchers published shows.
It is probably a good idea to check and apply the latest patches available for your favourite devices, especially if they are mobile and you carry them everywhere with Bluetooth on. That being said, the obvious solution is to turn off Bluetooth. This is probably something you already do in order to save battery. Unfortunately, this might not be possible for everyone, especially those who heavily rely on Bluetooth devices, like hands-free, for example.
Meanwhile, enjoy the demo: