Everything You Need to Know About BlueBorne

Armis Lab last week (September 12, 2017) reported that they discovered a vulnerability in the Bluetooth. This vulnerability is able to potentially access a users device without their knowledge. There is no link to click, an email attachment to open, or an app to install.
The vulnerability impacts Android, iOS, Windows and Linux devices that have Bluetooth capabilities. That accounts to over 8.2 billion devices! Chances are you are vulnerable too.

Scared yet? Well, don't be!

Step 1: Turn off your Bluetooth and keep reading

First, do as many have advised and temporarily turn off your Bluetooth. This prevents the vulnerability completely.

Now that you feel a little safer, know that when a security company like Armis Labs finds a vulnerability like this they immediately share this information with operating system companies. This is directly from their website:

Armis reached out to the following actors to ensure a safe, secure, and coordinated response to the vulnerabilities identified.
  • Google – Contacted on April 19, 2017, after which details were shared. Released public security update and security bulletin on September 4th, 2017. Coordinated disclosure on September 12th, 2017.
  • Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
  • Apple – Contacted on August 9, 2017. Apple had no vulnerability in its current versions.
  • Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach.
  • Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.

Step 2: Understand the issue

 BlueBorne is NOT a virus. BlueBorne is a collection of vulnerabilities found in the implementation of the Bluetooth software of many operating systems. Someone who wants to write a software virus can exploit the BlueBorne vulnerabilities to gain access to your device if they are in range of your device. The typical range of Bluetooth is 10 meters (33 feet).

Currently, there is no reported virus using the BlueBorne exploits. Operating System companies have known about this vulnerability for a few months and if they are affected they have been working on the fix prior to the public announcement.

Step 3: Check if there is an update for your device

Windows 10, 8 and 7:
Microsoft released security patches on September 9, 2017 that fixes the vulnerability for various version of Windows. For more information see this Microsoft Security Update.

MacOS / OSX:
There are no reports indicating MacOS is affected by this vulnerability.

iOS:
If your device is running iOS 10 or newer you are not affected.

Android:
For Nexus and Pixel phones Google has released a security patch September 9, 2017 that fixes the vulnerability. Ensure you have September 9, 2017 Security Patch Level. See this Android Security Bulletin

Google provided all Android Partners (Samsung, Lenovo/Motorola, HTC, etc) with a security patch in August. 

Samsung has indicated that they have incorporated the security patch and have rolled out to carriers. See this Samsung Update.

You will have to check with your manufacturer or carrier to determine if and when a patch will be available or your device.

Blackberry and QNX:
Blackberry phone running Android are affected, but a patch was release Sept 1, 2017. Blackberry phones running Blackberry OS and Blackberry 10 are not affected. Neither is QNX devices. See this Blackberry Article.

Linux:
Linux is an OS used in a variety of devices from smartwatches to smart TVs. Fixes have been issued in the main Linux OS on September 9, 2017, but it is up to the manufacturers and venues to provide updates for their particular device, much like the situation with Android smartphones, check with your manufacturer to see if and when a patch will be released.

For the Raspberry Pi, this forum post indicates that the Bluez protocol stack has been patched. See the forum post here.

Step 4: Verify the update worked

 Armis Labs has released a test app for Android devices which can be used to determine if your Android device is affected, as well as devices around you. Download: BlueBorne Vulnerability Detector in the Google Play Store.

If your device passes the test you can safely turn on and use your Bluetooth. If your device is vulnerable keep your Bluetooth turned off until a software update is provided and applied to your device.

For more information see:

Comments

Post a Comment

Popular posts from this blog

Apple Pay, Android Pay, contactless credit cards, is it safe?

Image
If you live in Canada and own a credit card you are now probably accustomed to tapping your credit card to pay for your small purchases. Canadian banks started issuing contactless credit cards in 2010, and most vendors now have pay terminals that support "Tap". Visa officially calls the contact-less credit card feature payWave  and MasterCard calls it  Tap & Go . For majority of Americans this great convenient form of payment came in 2014 with  Apple Pay  or Android Pay . Canadian banks are starting to enabling Apple Pay this  June . Apple Pay, and Android Pay use NFC. Early versions of the contactless credit cards used RFID and was a hot topic in 2012 as hackers demonstrated how the can read the data  just by standing near you with a smartphone. Since then Visa payWave and MasterCard Tap &Go have moved to using NFC. What is NFC and how is it different from RFID? NFC stands for Near Field Communication and is related to but not the same as
Read more

Failed CUDA Toolkit Install? Ubuntu 18.04 stuck on boot of Gnome Display Manager?

Image
I have been attempting to get TensorFlow GPU running on Ubuntu 18.04. The system requirements are simple:  TensorFlow GPU NVIDIA requirements . But I discovered the CUDA toolkit can result in some messy installation dependencies on specific versions of the Nvidia drivers leaving you with failed package installations such as: Errors were encountered while processing: /tmp/apt-dpkg-install-5dMwo8/100-nvidia-390_390.30-0ubuntu1_amd64.deb E: Sub-process /usr/bin/dpkg returned an error code (1) What's worse if you reboot your computer you are met with a computer that is stuck booting, the system not able to progress past loading the Gnome Display Manager. Is my computer completely messed up? If you are stuck at boot up sequence access a tty terminal by pressing  ctrl + alt + F2 . You will be prompted to login in. Do it. Next, type: sudo apt-get install -f The system will list dependencies that were not installed correctly. In my case, my installed Nvidia 390
Read more

How Salesforce uses AWS to Improve The Support Call Experience

Image
In April I wrote about how moving infrastructure to  the cloud is the start of a paradigm shift, and that building intelligence products and services is the next step. Today, I highlight an example of this presented by Salesforce and AWS . Youtube video link:  https://www.youtube.com/watch?v=TEiDEFFZjNw The key AWS services discussed in the video are: Amazon Lex Amazon Lex is a chatbot platform. It uses speech recognition and language understanding technology to analyze text and speech. Amazon Lex can be trained to recognize a users intent and carry out a conversation to collect the necessary data. Amazon Polly Amazon Polly is a text-to-speech service. You supply a string of text and Amazon Polly will return an audio file in a variety of different voices. To learn more about the features see  https://aws.amazon.com/polly/features/ . To see the currently supported languages and voices available for those languages see  https://docs.aws.amazon.com/polly/latest/dg/voicelis
Read more