One year after security vendor Armis disclosed a set of nine exploitable vulnerabilities in Bluetooth, some 2 billion devices — including hundreds of millions of Android and iOS smartphones — remain exposed to the threat.
Armis disclosed the vulnerabilities — collectively dubbed "BlueBorne" — last September, describing them as an attack vector for adversaries to take complete control of Bluetooth devices. At the time, the company estimated some 5 billion Bluetooth-enabled products, including laptops, phones, smartwatches, and TVs, were impacted.
Since then, the vendors of many of these products have issued patches and software updates addressing the flaws.
But Armis estimates that at least 2 billion devices remain just as open to attack via BlueBorne vulnerabilities as they were one year ago.
Nearly half of the still-vulnerable devices, 995 million, are Android devices running either the Marshmallow or even older Lollipop versions of the operating system. Another 768 million are running either unpatched or unpatchable versions of Linux, 200 million are running various versions of Windows, and 50 million are iOS devices, the company said in a report Thursday.
That so many systems remain vulnerable to BlueBorne one year after the vulnerabilities were disclosed is not especially surprising, says Ben Seri, vice president of research at Armis. "When we first announced BlueBorne, we knew there were two primary challenges to addressing this type of exposure," he notes.
One of them is that many of the impacted devices — such as older, unsupported Android and iOS products — will never get patched, remaining at risk until the devices are discarded. Similarly, many systems running Linux, such as industrial equipment and medical devices, can be very difficult or impossible to patch.
The other challenge is the time it takes for device vendors, carriers, and enterprises to deploy patches — even when available — for such vulnerabilities. Google, Microsoft, and Linux groups, for instance, quickly issued patches for the flaws, but many of the others in the respective ecosystems have not, Seri says.
The BlueBorne vulnerabilities exist in Bluetooth implementations in Windows, Android, Linux, and iOS before Version 10. The flaws allow attackers to take complete control of vulnerable devices, steal data, distribute malware on them to conduct man-in-the-middle attacks, and spy on users.
Armis describes the BlueBorne flaws as enabling airborne attacks, where one infected Bluetooth device can be used to broadcast the malware to other devices over-the-air. In order to infect a device using BlueBorne, an attacker does not have to pair his or her own device with the target device, nor does the target device even need to be in discoverable mode.
"Airborne attacks bring new, frictionless attack capabilities," Seri says. Unlike traditional methods, users don't need to click a link or download a file to enable an attack. "Spreading through the air from device to device renders the attacks much more contagious and allows them to spread with minimum effort."
Such vulnerabilities also give attackers a way to jump air-gapped internal networks, such as those found in several critical infrastructure and industrial systems settings, he says.
Despite the prevalence of vulnerable systems, so far there is no evidence that attackers have actually exploited the flaws to do any of the things Armis has warned about. But the lack of evidence does not necessarily mean attackers aren't exploiting BlueBorne flaws.
"If attackers were to use airborne attacks, such as BlueBorne, how would this be detected?" Seri asks. "There would be no log that would show a Bluetooth attack taking place" in endpoint security products, firewalls, and network security products.
Bluetooth is completely unmonitored at many organizations, so for adversaries, attacks using BlueBorne would be a coveted vector since they would be completely under the radar, he says.
For enterprises, such vulnerabilities highlight the limitations of relying solely on device makers and carriers to address vulnerabilities in the operating systems and software stacks on their products. "It is critical to note that BlueBorne impacted not just IoT devices, not just the Amazon Echos, but [also] any device with Bluetooth — which means desktops, laptops, and potentially servers," Seri said.
Theoretically, at least, any device approved to be on a network could be compromised, and the attacker could then penetrate deeper into an organization.
"Enterprises should understand where connected devices are at use in their environments — both sanctioned and unsanctioned — [and] be able to track their actions and gain control over them in order to prevent the threat of attacks," Seri says.
Organizations need to be aware that any new communications method or protocol will always be a target for attacks and should expect to see attacks against Bluetooth vulnerabilities for years to come, adds Lamar Bailey, director of security research and development at Tripwire.
Auto updates, where available, are the best method for patching against known security issues so long as there is a process for thoroughly testing the updates before deployment. "Any one vendor or provider who pushes an update and bricks a bunch of customer devices will have a very bad day, and it will cause a financial impact," Bailey said.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio