Recent

Monday, September 18, 2017

Everything You Need to Know About BlueBorne

Armis Lab last week (September 12, 2017) reported that they discovered a vulnerability in the Bluetooth. This vulnerability is able to potentially access a users device without their knowledge. There is no link to click, an email attachment to open, or an app to install.
The vulnerability impacts Android, iOS, Windows and Linux devices that have Bluetooth capabilities. That accounts to over 8.2 billion devices! Chances are you are vulnerable too.

Scared yet? Well, don't be!

Step 1: Turn off your Bluetooth and keep reading

First, do as many have advised and temporarily turn off your Bluetooth. This prevents the vulnerability completely.

Now that you feel a little safer, know that when a security company like Armis Labs finds a vulnerability like this they immediately share this information with operating system companies. This is directly from their website:

Armis reached out to the following actors to ensure a safe, secure, and coordinated response to the vulnerabilities identified.
  • Google – Contacted on April 19, 2017, after which details were shared. Released public security update and security bulletin on September 4th, 2017. Coordinated disclosure on September 12th, 2017.
  • Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
  • Apple – Contacted on August 9, 2017. Apple had no vulnerability in its current versions.
  • Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach.
  • Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.

Step 2: Understand the issue

BlueBorne is NOT a virus. BlueBorne is a collection of vulnerabilities found in the implementation of the Bluetooth software of many operating systems. Someone who wants to write a software virus can exploit the BlueBorne vulnerabilities to gain access to your device if they are in range of your device. The typical range of Bluetooth is 10 meters (33 feet).

Currently, there is no reported virus using the BlueBorne exploits. Operating System companies have known about this vulnerability for a few months and if they are affected they have been working on the fix prior to the public announcement.

Step 3: Check if there is an update for your device

Windows 10, 8 and 7:
Microsoft released security patches on September 9, 2017 that fixes the vulnerability for various version of Windows. For more information see this Microsoft Security Update.

MacOS / OSX:
There are no reports indicating MacOS is affected by this vulnerability.

iOS:
If your device is running iOS 10 or newer you are not affected.

Android:
For Nexus and Pixel phones Google has released a security patch September 9, 2017 that fixes the vulnerability. Ensure you have September 9, 2017 Security Patch Level. See this Android Security Bulletin

Google provided all Android Partners (Samsung, Lenovo/Motorola, HTC, etc) with a security patch in August. 

Samsung has indicated that they have incorporated the security patch and have rolled out to carriers. See this Samsung Update.

You will have to check with your manufacturer or carrier to determine if and when a patch will be available or your device.

Blackberry and QNX:
Blackberry phone running Android are affected, but a patch was release Sept 1, 2017. Blackberry phones running Blackberry OS and Blackberry 10 are not affected. Neither is QNX devices. See this Blackberry Article.

Linux:
Linux is an OS used in a variety of devices from smartwatches to smart TVs. Fixes have been issued in the main Linux OS on September 9, 2017, but it is up to the manufacturers and venues to provide updates for their particular device, much like the situation with Android smartphones, check with your manufacturer to see if and when a patch will be released.

For the Raspberry Pi, this forum post indicates that the Bluez protocol stack has been patched. See the forum post here.

Step 4: Verify the update worked

Armis Labs has released a test app for Android devices which can be used to determine if your Android device is affected, as well as devices around you. Download: BlueBorne Vulnerability Detector in the Google Play Store.

If your device passes the test you can safely turn on and use your Bluetooth. If your device is vulnerable keep your Bluetooth turned off until a software update is provided and applied to your device.

For more information see:

1 comment: