By Ben Seri, VP of Research
One year ago, Armis disclosed the airborne attack vector BlueBorne, a set of nine exploitable Bluetooth vulnerabilities that can give an attacker complete control of a device and its data. It impacted almost every connected device running Android, Linux, Windows, and iOS versions before iOS 10, regardless of the Bluetooth version in use.
Since then, vendors have steadily issued updates, and today many millions of devices are patched, but certainly not all. By our calculations, over two billion remain exposed either because they haven’t been updated, or because they won’t receive updates at all.
BlueBorne also sparked research into what other vulnerabilities might exist in the over 8.2 billion Bluetooth-enabled devices used all over the world. While several Bluetooth vulnerabilities were discovered since BlueBorne, the speed with which some vendors issued patches has not improved significantly.
Before we dig into the specifics of where we are today, let’s take a look back at the nuts and bolts of BlueBorne and the extent of its reach.
What is BlueBorne?
BlueBorne is an airborne attack vector that uses Bluetooth to allow an attacker to penetrate and take complete control over targeted devices. The attack does not require the targeted device to be paired to the attacker’s device or even set to discoverable mode.
How is BlueBorne different?
Unlike the majority of attacks which rely on internet connectivity, a BlueBorne attack could spread through the air. Attacks like these were almost entirely unexplored by the research community, which left (and still leaves) devices more vulnerable than to other more well-researched attack vectors. Another critical difference was that with BlueBorne, an attacker could access and take over devices unnoticed by bypassing traditional security measures which weren’t designed to protect against airborne attacks.
How dangerous is BlueBorne?
If exploited, an attacker could use Blueborne for remote code execution or Man-in-the-Middle attacks. An airborne attack also opens up many opportunities to conduct an attack:
Unlike traditional malware or attacks, the user does not have to click a link or download a questionable file. No action by the user is necessary to enable the attack.
Spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort.
Airborne attacks can allow hackers to penetrate secure, air-gapped internal networks. That puts industrial systems, government agencies, and critical infrastructure at extreme risk.
Who was affected?
BlueBorne impacted 5.3 billion devices running Android, Linux, Windows, and iOS. Ordinary computers, mobile phones, and IoT devices – anything with a Bluetooth radio – were all vulnerable to BlueBorne’s nine zero-day vulnerabilities.
Where are we today?
Since Armis disclosed BlueBorne, some things have changed, but some have not. There are still many people using vulnerable unpatched and unpatchable devices. Most vendors have looked into improving the update process, but not all of them. Meanwhile, attackers continue to look for an expose vulnerabilities like BlueBorne right under the noses of unsuspecting enterprises.
1. Billions of devices are still exposed
Today, about two-thirds of previously affected devices have received updates that protect them from becoming victims of a BlueBorne attack, but what about the rest? Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack. The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.
- 768 million devices running Linux
- 734 million devices running Android 5.1 (Lollipop) and earlier
- 261 million devices running Android 6 (Marshmallow) and earlier
- 200 million devices running affected versions of Windows
- 50 million devices running iOS version 9.3.5 and earlier
However, an inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks. Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.
2. Patches still take a lot of time to deploy
As vulnerabilities and threats are discovered, it can take weeks, months, or more to patch them. Between the time Armis notified affected vendors about BlueBorne and its public disclosure, five months had elapsed. During that time, Armis worked with these vendors to develop fixes that could then be made available to partners or end-users. Let’s look at the BlueBorne disclosure timeline and a handful of end-user patches as an example.
- Armis makes a coordinated public disclosure about BlueBorne with Google, Linux, and Microsoft. Google releases patches to partners, Linux publishes patch information, and Microsoft releases patches to all affected Windows devices.
- Android patches start rolling out to end users slowly. Some examples include:
- 10/3/2017: 21 days later – Verizon pushes September Android updateto Samsung Galaxy S6, S6 Edge, S6 Edge+, S8, S8+, Note 5, and Moto Z2 Force
- 10/8/2018: 26 days later – Huawei publishes security advisory and update information about affected devices
- 10/10/2017: 28 days later – Verizon pushes September Android updateto Moto Z, Moto Z Force, and Moto Z Play
- 10/13/2017: 31 days later – AT&T pushes an update for Nexus 6 and LG V10
- 10/30/2017: 48 days later – AT&T pushes an update for Samsung Galaxy S7 and Galaxy S7 Edge
- 1/8/2018: 118 days later – Verizon pushes updates to Samsung Galaxy S5, Note 4, Note Edge
- 6/7/2018: 268 days later – Lenovo issues a security patch for some older Android tablets
- iOS 10 and later was not affected by BlueBorne, but previous versions were impacted and remain unpatched.
- Armis makes a second coordinated public disclosure about BlueBorne vulnerabilities, this time affecting 15 million Amazon Echo and 5 million Google Home devices. Amazon and Google push patches to Echo and Google Home devices automatically.
Some vendors made strides to improve the update process over the last year. Devices like Amazon Echo and Google Home received updates automatically over the air, and Google’s Project Treble modularized the Android OS, making it somewhat easier and faster for vendors to push critical security updates to end users.
However, getting updates to a vast number of devices is still problematic:
- Not all Android devices support Project Treble, so they’ll have to wait for updates.
- End-of-life or end-of-support devices people still in-use today, including 209 million iOS devices, won’t receive updates at all.
- Devices running Linux, like medical devices and industrial equipment, can be difficult or impossible to patch with critical security updates.
As you can see, exploits like BlueBorne take a long time to go away. This is because many of the impacted devices can’t be patched. In fact, we often have to wait until a device is retired or taken out of operation and turned off before it no longer poses a risk. As we look across each of these platforms, Linux and Android have the longest tail, which aligns with what we are seeing in the marketplace. The chart below reflects a “half-life” of the BlueBorne exposure.
3. Bluetooth vulnerabilities still being uncovered
In September of last year, CSO reported “The scariest thing about BlueBorne, the attack vector that uses Bluetooth to spread across devices, isn’t what it can do, but rather just how many similar vulnerabilities may be lurking that we don’t yet know about.”
They were right.
BlueBorne awakened the research community to the growing sophistication of attacks. In fact, since BlueBorne, researchers discovered many more critical Bluetooth vulnerabilities, notably an escalation in Android Bluetooth vulnerabilities:
- February 2018 – Researchers disclosed a Bluetooth vulnerability in Apple iOS, watchOS, and tvOS that can allow sandboxed processes to communicate with other processes outside of the sandbox.
- March 2018 – Researchers disclosed five new Bluetooth-based critical remote code execution vulnerabilities in Android (CVE-2017-13160, CVE-2017-13255, CVE-2017-13256, CVE-2017-13272, CVE-2017-13266). Android 8.1 (Oreo) includes patches for these vulnerabilities, but they still affect devices running Android 7 (Nougat) or older. That’s a whopping 78% or 1.3 billion active Android devices.
- May 2018 – Researchers at Tencent disclose Bluetooth vulnerabilities in BMW ConnectedDrive.
- July 2018 – Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices validate the public encryption key received over-the-air during secure pairing. The vulnerability affects firmware or operating system software drivers from major vendors including Apple, Broadcom, Intel, and Qualcomm.
How can you combat new attack surfaces?
Unmanaged and IoT devices are growing exponentially in the enterprise. They carry the promise of connectivity and productivity. However, they are also the new attack landscape. Attackers increasingly focus on new methods to exploit these devices because they take advantage of new connectivity methods (like Bluetooth), and because of their inherent lack of protection. Since Bluetooth vulnerabilities can spread over the air and between devices, they are a genuine threat to any organization or individual.
Existing security products only detect and block attacks that spread over IP connections. Therefore, products like endpoint protection, mobile device management, firewalls, and other network security products can’t stop airborne attacks like BlueBorne.
Only new solutions designed to address new kinds of threats can stop airborne attack vectors. As well, more research needs to uncover vulnerabilities in protocols used by unmanaged and IoT devices that increasingly find their way onto enterprise networks.