In September 2017, experts with Armis Labs devised a new attack technique, dubbed BlueBorne, aimed at mobile, desktop and IoT devices that use Bluetooth. The BlueBorne attack exposes devices to a new remote attack, even without any user interaction and pairing, the unique condition for BlueBorne attacks is that targeted systems must have Bluetooth enabled.
The attack technique leverages on a total of nine vulnerabilities in the Bluetooth design that expose devices to cyber attacks.
A hacker in range of the targeted device can trigger one of the Bluetooth implementation issues for malicious purposes, including remote code execution and man-in-the-middle (MitM) attacks. The attacker only needs to determine the operating system running on the targeted device in order to use the correct exploit.
According to the experts, in order to launch a BlueBorne attack, it is not necessary to trick the victim into clicking on a link or opening a malicious file.
The attack is stealthy and victims will not notice any suspicious activity on their device.
Two months later, experts at Armis also revealed that millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, were affected by the Blueborne flaws.
At the time of BlueBorne disclosure, Armis estimated that the security flaw initially affected roughly 5.3 billion Bluetooth-enabled devices.
One year after the company published a new report that warns that roughly one-third of the 5.3 billion impacted devices are still vulnerable to cyber attacks.
“Today, about two-thirds of previously affected devices have received updates that protect them from becoming victims of a BlueBorne attack, but what about the rest? Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack.” states the new report published by Armis.
“The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.
It is disconcerting, one billion devices are still running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million).
It is interesting to note that 768 million Linux devices are running an unpatched or unpatchable version, they include servers, industrial equipment, and IoT systems in many industries.
“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” continues the report published by Armis.
“Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”
Armis notified its findings to vendors five months ago, but the situation is not changed.
“As vulnerabilities and threats are discovered, it can take weeks, months, or more to patch them. Between the time Armis notified affected vendors about BlueBorne and its public disclosure, five months had elapsed. During that time, Armis worked with these vendors to develop fixes that could then be made available to partners or end-users.” added Armis.
Unmanaged and IoT devices grow exponentially in the enterprise dramatically enlarging the attack surface and attracting the interest of hackers focused in the exploitation of Bluetooth as an attack vector.
(Security Affairs – BlueBorne, hacking)