Bluetooth is a truly ubiquitous technology. It’s been in billions of devices sold to the general public, and it found its way into mobile phones, cars, printers, speaker systems, PCs, laptops, even expensive industrial equipment. It was used as a tracking mechanism to identify consumer trends early on before the days of stores offering free Wi-Fi that could tap into your GPS to track your every step. It’s an amazing piece of technology. And now it’s arguably the most dangerous, thanks to a broken piece of the Bluetooth specification that makes it an effective attack vector for secure networks.
Discovered by Armis Labs, BlueBorne is an airborne virus that spreads itself in an undetectable way across all vulnerable devices in your local area, delivering malware to devices with Bluetooth switched on. Bluetooth’s range these days is somewhere around ten metres for mobile phones and up to 100 meters for Class 1 devices like laptops or desktop computers, so it makes a Bluetooth personal area network a dangerous thing to have around. BlueBorne, also known as CVE-2017-0785, is one of a collection of eight vulnerabilities in the security of Bluetooth, four of which are considered critical (a nice way of saying “catastrophically bad”).
It currently attacks devices running Linux-based operating systems, Windows XP, Vista, and 7 through to 10, MacOS, Samsung Tizen OS, Google Chrome OS, and Android TV. Simpler devices like the Pebble Watch, Bluetooth peripherals, or older devices like a Motorola Razr, won’t necessarily be vulnerable, but by implementing the bare Bluetooth specification, they can be attacked with other exploits.
BlueBorne, in the words of Armis Labs, “allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware laterally to adjacent devices”. The device doesn’t have to be paired with the target device, and turning off discoverability mode doesn’t add protection. The attacker first identifies the target device and targets it with an information leak vulnerability, which gives them all the information they need to learn whether a device is unpatched or not, and once in control of the device via Bluetooth can launch any of the seven other known vulnerabilities currently ripe for exploitation.
Thanks to Bluetooth networks also being largely unsecured, a building full of employees using a secure, well-monitored Wi-Fi network can still be compromised via a network that they have no control over.
The difference between this and malware like WannaCry is that WannaCry was fully automated and wormable – if someone takes BlueBorne and makes it infect any and all devices it finds its way into, and somehow extracts private user data and sends it to a server on the internet, it has a much larger reach than WannaCry ever could manage. At least one of the vulnerabilities accessible after taking control of a device using BlueBorne, called CVE-2017-0781, will allow for remote code execution, so turning this into a worm is possible, and very likely to happen. Armis Labs’ video presents the BlueBorne threat as if it was already wormable, so the video overview linked above is more of a worst-case scenario than something actually happening now.
Whilst the vulnerabilities have been disclosed by Armis Labs to the relevant manufacturers, there are a staggering amount of devices that will never be patched or see any fixes from their manufacturers. Between one and four billion devices that no longer have support will remain vulnerable now that the exploit is in the wild, perhaps forever. This applies not just to mobile phones, but also to standalone Bluetooth devices like speakers, wireless remotes, laptops with the tech built-in, and in-car entertainment systems. Servers that use Bluetooth for temperature sensor monitoring? Sure. The same applies for photography kiosks, mobile card machines, remotely operated factory cranes, wireless printers, and some drones. There are even medical devices that use Bluetooth!
For the moment, Apple users on iOS 10 and later don’t need to worry, as Apple unwittingly covered themselves with iOS 10. The same goes for anyone using Microsoft Windows 7 and later, most Linux distributions, and MacOS, because these platforms will be seeded updates to fix this soon. Android phones that still receive support and security updates will eventually have the patch for this exploit, as well as devices running Google Android TV. Even Windows 8.1 RT gets covered.
Anything older than that gets left out in the cold. Devices on iOS 9.3 and earlier are vulnerable. Linux users on kernel 3.3rc1 and older, along with those using BlueZ to make Bluetooth work properly, are affected. My Sony Xperia Z1 Compact won’t get this fix, and neither will my brother’s Samsung Galaxy J5 Prime, or my mom’s Huawei P8 Lite. Samsung’s line of devices running Tizen might not get the fixes at all. I suspect that this is the case for the majority of the devices affected, which means that network security administrators now need to take Bluetooth devices into account when assessing their security vulnerabilities.
For now, just turn off Bluetooth wherever possible when you’re out in public on your phones, tablets, and smartwatches, and make sure your computers are patched with the most recent updates. And cross your fingers hoping that no-one worms this thing. Stay safe, everyone.