{{Short description|Security vulnerability affecting Bluetooth}} {{Use dmy dates|date=March 2020}} '''BlueBorne''' is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows.<ref name="ARMIS-2017">{{cite news |author=Staff |title=The Attack Vector "BlueBorne" Exposes Almost Every Connected Device |url=https://www.armis.com/blueborne/ |date=12 September 2017 |work=Armis.com |access-date=5 January 2018 }}</ref><ref name="ARMIS-2017-pdf">{{cite news |author=Staff |title=BlueBorne - Protecting the Enterprise from BlueBorne |url=https://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf |date=12 September 2017 |work=Armis.com |access-date=5 January 2018 |archive-date=20 December 2017 |archive-url=https://web.archive.org/web/20171220084324/http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf |url-status=dead }}</ref><ref name="TC-20170912">{{cite web |last=Biggs |first=Jpohn |title=New Bluetooth vulnerability can hack a phone in 10 seconds |url=https://techcrunch.com/2017/09/12/new-bluetooth-vulnerability-can-hack-a-phone-in-ten-seconds/ |date=12 September 2017 |work=TechCrunch |access-date=5 January 2018 }}</ref> It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is {{CVE|2017-14315}}. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.<ref name="ARMIS-2017" /><ref name="ARMIS-2017-pdf" /><ref name="WIRED-20170913">{{cite magazine |last=Newman |first=Lily Hay |title=Hey, Turn Bluetooth Off When You're Not Using It |url=https://www.wired.com/story/turn-off-bluetooth-security/ |date=13 September 2017 |magazine=Wired |access-date=5 January 2018 }}</ref><ref name="Android-20170916">{{cite web |last=Hildenbrand |first=Jerry |title=Let's talk about Blueborne, the latest Bluetooth vulnerability |url=https://www.androidcentral.com/lets-talk-about-blueborne-latest-bluetooth-vulnerability |date=16 September 2017 |work=AndroidCentral.com |access-date=5 January 2018 }}</ref><ref name="EW-20170912">{{cite web |last=Kerner |first=Sean Michael |title=BlueBorne Bluetooth Flaws Put Billions of Devices at Risk |url=http://www.eweek.com/security/blueborne-bluetooth-flaws-put-billions-of-devices-at-risk |date=12 September 2017 |work=eWeek |access-date=5 January 2018 }}</ref> According to Armis, ''"The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."''<ref name="ARMIS-2017" />
== History == The BlueBorne security vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017.<ref name="ARMIS-2017" />
== Technical Information == The BlueBorne vulnerabilities are a set of 8 separate vulnerabilities.<ref>{{Cite web|title=BlueBorne Whitepaper|url=https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf|url-status=live|archive-url=https://web.archive.org/web/20200505161458/https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf |archive-date=5 May 2020 }}</ref> They can be broken down into groups based upon platform and type. There were vulnerabilities found in the Bluetooth code of the Android, iOS, Linux and Windows platforms:<ref>{{Cite web|title=An Analysis of BlueBorne: Bluetooth Security Risks|url=https://duo.com/decipher/an-analysis-of-blueborne-bluetooth-security-risks|access-date=2021-07-28|website=Decipher|language=en}}</ref>
* Linux kernel RCE vulnerability - CVE-2017-1000251<ref>{{Cite web|title=NVD - CVE-2017-1000251|url=https://nvd.nist.gov/vuln/detail/CVE-2017-1000251|access-date=2021-07-28|website=nvd.nist.gov}}</ref> * Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250<ref>{{Cite web|title=NVD - CVE-2017-1000250|url=https://nvd.nist.gov/vuln/detail/CVE-2017-1000250|access-date=2021-07-28|website=nvd.nist.gov}}</ref> * Android information Leak vulnerability - CVE-2017-0785<ref>{{Cite web|title=NVD - CVE-2017-0785|url=https://nvd.nist.gov/vuln/detail/CVE-2017-0785|access-date=2021-07-28|website=nvd.nist.gov}}</ref> * Android RCE vulnerability #1 - CVE-2017-0781<ref>{{Cite web|title=NVD - CVE-2017-0781|url=https://nvd.nist.gov/vuln/detail/CVE-2017-0781|access-date=2021-07-28|website=nvd.nist.gov}}</ref> * Android RCE vulnerability #2 - CVE-2017-0782<ref>{{Cite web|title=NVD - CVE-2017-0782|url=https://nvd.nist.gov/vuln/detail/CVE-2017-0782|access-date=2021-07-28|website=nvd.nist.gov}}</ref> * The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783<ref>{{Cite web|title=NVD - CVE-2017-0783|url=https://nvd.nist.gov/vuln/detail/CVE-2017-0783|access-date=2021-07-28|website=nvd.nist.gov}}</ref> * The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628<ref>{{Cite web|title=NVD - CVE-2017-8628|url=https://nvd.nist.gov/vuln/detail/CVE-2017-8628|access-date=2021-07-28|website=nvd.nist.gov}}</ref> * Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315<ref>{{Cite web|title=NVD - CVE-2017-14315|url=https://nvd.nist.gov/vuln/detail/CVE-2017-14315|access-date=2021-07-28|website=nvd.nist.gov}}</ref>
The vulnerabilities are a mixture of information leak vulnerabilities, remote code execution vulnerability or logical flaw vulnerabilities. The Apple iOS vulnerability was a remote code execution vulnerability due to the implementation of LEAP (Low Energy Audio Protocol). This vulnerability was only present in older versions of the Apple iOS.<ref>{{Cite web|date=2017-09-22|title=What is BlueBorne? An Apple Device FAQ|url=https://www.intego.com/mac-security-blog/what-is-blueborne-an-apple-device-faq/|access-date=2021-07-28|website=The Mac Security Blog|language=en-US}}</ref>
== Impact == In 2017, BlueBorne was estimated to potentially affect all the 8.2 billion Bluetooth devices worldwide,<ref name="ARMIS-2017" /> although they clarify that 5.3 billion Bluetooth devices are at risk.<ref>{{Cite web|last=Smith|first=Ms|date=2017-09-12|title=5.3 billion devices at risk for invisible, infectious Bluetooth attack|url=https://www.csoonline.com/article/3224365/53-billion-devices-at-risk-for-invisible-infectious-bluetooth-attack.html|access-date=2021-07-28|website=CSO Online|language=en}}</ref> Many devices are affected, including laptops, smart cars, smartphones and wearable gadgets.<ref name="ARMIS-2017" /><ref name="ARMIS-2017-pdf" /><ref name="WIRED-20170913" /><ref name="Android-20170916" /><ref name="EW-20170912" />
In 2018, after one year after the original disclosure, Armis estimated that over 2 billion devices were still vulnerable.<ref>{{Cite web|last=Osborne|first=Charlie|title=Two billion devices still vulnerable to Blueborne flaws a year after discovery|url=https://www.zdnet.com/article/two-billion-devices-still-exposed-after-blueborne-vulnerabilities-reveal/|access-date=2021-07-28|website=ZDNet|language=en}}</ref><ref>{{Cite web|date=2018-09-13|title=BlueBorne: One Year Later|url=https://www.armis.com/blog/blueborne-one-year-later/|access-date=2021-07-28|website=Armis|language=en-US}}</ref>
== Mitigation == Google provides a BlueBorne vulnerability scanner from Armis for Android.<ref name="GoogleApp-2017">{{cite web |author=Staff |title=BlueBorne Vulnerability Scanner by Armis - 2017 |url=https://play.google.com/store/apps/details?id=com.armis.blueborne_detector&hl=en |date=12 September 2017 |work=Google |access-date=5 January 2018 }}</ref> Procedures{{clarify|date=February 2018}} to help protect devices from the BlueBorne security vulnerabilities were reported by September 2017.<ref name="Cornell-20170915">{{cite web |author=Staff |title=Information on new BlueBorne security vulnerability |url=https://its.weill.cornell.edu/news-and-alerts/news/information-on-new-blueborne-security-vulnerability |date=15 September 2017 |work=Cornell University |access-date=5 January 2018 }}</ref><ref name="FM-20170913">{{cite web |last=Meyer |first=David |title=How to Check If You're Exposed to Those Scary BlueBorne Bluetooth Flaws |url=http://fortune.com/2017/09/13/armis-blueborne-bluetooth-ios-android-windows-linux/ |date=13 September 2017 |work=Fortune |access-date=5 January 2018 }}</ref><ref name="WU-20170920">{{cite web |last=Geiger |first=Erik |title="BlueBorne" Exposes Millions of Bluetooth Devices |url=https://it.wisc.edu/news/blueborne-exposes-millions-bluetooth-devices/ |date=20 September 2017 |work=Wisconsin University |access-date=5 January 2018 |archive-date=5 January 2018 |archive-url=https://web.archive.org/web/20180105233711/https://it.wisc.edu/news/blueborne-exposes-millions-bluetooth-devices/ |url-status=dead }}</ref>{{update after|2018|2|1}}
== References == {{Reflist|colwidth=30em}}
== External links == *{{Official website|https://www.armis.com/blueborne/}}
{{Hacking in the 2010s}} {{Portal bar|Business and economics}}
Category:Computer security exploits Category:2017 in computing Category:Cybersecurity engineering