NOTICE: Update devices or turn off Bluetooth to protect against BlueBorne

Wednesday, September 20, 2017

The BlueBorne vulnerabilities offer a good reminder to keep your devices updated and turn off Bluetooth when you are not using it.

Summary

Security vulnerabilities in Bluetooth could expose smartphones, laptops, speakers, TVs, watches, and other devices to attack. The vulnerabilities, dubbed "BlueBorne," could allow an attacker to take over devices, spread malware, or gain access to data and networks. BlueBourne is a good reminder to always:

  • Update devices and software as patches and updates are available.
  • Turn off connections (Bluetooth, WiFi, and so on) when not in use.

Problem

The BlueBorne vulnerabilities could affect billions of devices, many of which may be running older, unsupported operating systems. Patches may not be available for all devices and operating systems. Users who cannot yet update their devices should turn off Bluetooth when not in use.

Affected Systems

Bluetooth implementations in Android, Microsoft, Linux, and versions of iOS previous to iOS 10.

In short, nearly all devices with Bluetooth capabilities are affected. Bluetooth is integrated into more than 8.2 billion products.

Action Items

  • Update your devices with updates/patches from the vendor.  Apple, Google, and Microsoft have all released updates that address BlueBorne.
    • iOS 10 and later are not affected by BlueBorn; no action needed. If you are using an older, unsupported version of iOS (9.35 and earlier), turn off Bluetooth.
    • Google has issued a security update patch and notified its partners. It may take some time for provider of Android-powered devices to release patches.
    • "Linux distributions have started to push updates," according to Armis Labs. Check with your Linux provider for updates.
  • Turn off Bluetooth when you are not using it.

Threats

"The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active," according to Armis Labs. It could be used to take complete control of targeted devices, but there are no reports of the vulnerability being widely exploited.

Technical Details

According to Armis Labs:
The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.

For more detail, see Technical Overview—BlueBorne Explained: How The Attack Vector Works (Armis Labs)

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.