One year ago, Armis disclosed the airborne attack vector BlueBorne, a set of nine exploitable Bluetooth vulnerabilities that can give an attacker complete control of a device and its data. It impacted almost every connected device running Android, Linux, Windows, and iOS versions before iOS 10, regardless of the Bluetooth version in use.
Since then, vendors have steadily issued updates, and today many millions of devices are patched, but certainly not all. By our calculations, over two billion remain exposed either because they haven’t been updated, or because they won’t receive updates at all.
BlueBorne also sparked research into what other vulnerabilities might exist in the over 8.2 billion Bluetooth-enabled devices used all over the world. While several Bluetooth vulnerabilities were discovered since BlueBorne, the speed with which some vendors issued patches has not improved significantly.
Before we dig into the specifics of where we are today, let’s take a look back at the nuts and bolts of BlueBorne and the extent of its reach.
BlueBorne is an airborne attack vector that uses Bluetooth to allow an attacker to penetrate and take complete control over targeted devices. The attack does not require the targeted device to be paired to the attacker’s device or even set to discoverable mode.
Unlike the majority of attacks which rely on internet connectivity, a BlueBorne attack could spread through the air. Attacks like these were almost entirely unexplored by the research community, which left (and still leaves) devices more vulnerable than to other more well-researched attack vectors. Another critical difference was that with BlueBorne, an attacker could access and take over devices unnoticed by bypassing traditional security measures which weren’t designed to protect against airborne attacks.
If exploited, an attacker could use Blueborne for remote code execution or Man-in-the-Middle attacks. An airborne attack also opens up many opportunities to conduct an attack:
Unlike traditional malware or attacks, the user does not have to click a link or download a questionable file. No action by the user is necessary to enable the attack.
Spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort.
Airborne attacks can allow hackers to penetrate secure, air-gapped internal networks. That puts industrial systems, government agencies, and critical infrastructure at extreme risk.
BlueBorne impacted 5.3 billion devices running Android, Linux, Windows, and iOS. Ordinary computers, mobile phones, and IoT devices – anything with a Bluetooth radio – were all vulnerable to BlueBorne’s nine zero-day vulnerabilities.
Since Armis disclosed BlueBorne, some things have changed, but some have not. There are still many people using vulnerable unpatched and unpatchable devices. Most vendors have looked into improving the update process, but not all of them. Meanwhile, attackers continue to look for an expose vulnerabilities like BlueBorne right under the noses of unsuspecting enterprises.
1. Billions of devices are still exposed
Today, about two-thirds of previously affected devices have received updates that protect them from becoming victims of a BlueBorne attack, but what about the rest? Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack. The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.
However, an inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks. Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.
2. Patches still take a lot of time to deploy
As vulnerabilities and threats are discovered, it can take weeks, months, or more to patch them. Between the time Armis notified affected vendors about BlueBorne and its public disclosure, five months had elapsed. During that time, Armis worked with these vendors to develop fixes that could then be made available to partners or end-users. Let’s look at the BlueBorne disclosure timeline and a handful of end-user patches as an example.
September 12, 2017: First public BlueBorne disclosure
November 14, 2017: Second public BlueBorne disclosure
Some vendors made strides to improve the update process over the last year. Devices like Amazon Echo and Google Home received updates automatically over the air, and Google’s Project Treble modularized the Android OS, making it somewhat easier and faster for vendors to push critical security updates to end users.
However, getting updates to a vast number of devices is still problematic:
As you can see, exploits like BlueBorne take a long time to go away. This is because many of the impacted devices can’t be patched. In fact, we often have to wait until a device is retired or taken out of operation and turned off before it no longer poses a risk. As we look across each of these platforms, Linux and Android have the longest tail, which aligns with what we are seeing in the marketplace. The chart below reflects a “half-life” of the BlueBorne exposure.
3. Bluetooth vulnerabilities still being uncovered
In September of last year, CSO reported “The scariest thing about BlueBorne, the attack vector that uses Bluetooth to spread across devices, isn’t what it can do, but rather just how many similar vulnerabilities may be lurking that we don’t yet know about.”
They were right.
BlueBorne awakened the research community to the growing sophistication of attacks. In fact, since BlueBorne, researchers discovered many more critical Bluetooth vulnerabilities, notably an escalation in Android Bluetooth vulnerabilities:
Unmanaged and IoT devices are growing exponentially in the enterprise. They carry the promise of connectivity and productivity. However, they are also the new attack landscape. Attackers increasingly focus on new methods to exploit these devices because they take advantage of new connectivity methods (like Bluetooth), and because of their inherent lack of protection. Since Bluetooth vulnerabilities can spread over the air and between devices, they are a genuine threat to any organization or individual.
Existing security products only detect and block attacks that spread over IP connections. Therefore, products like endpoint protection, mobile device management, firewalls, and other network security products can’t stop airborne attacks like BlueBorne.
Only new solutions designed to address new kinds of threats can stop airborne attack vectors. As well, more research needs to uncover vulnerabilities in protocols used by unmanaged and IoT devices that increasingly find their way onto enterprise networks.
Sign up to receive the latest news