Security researchers have discovered eight vulnerabilities — codenamed collectively as BlueBorne — in the Bluetooth implementations used by over 5.3 billion devices.
Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device.
They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars.
Three of these eight security flaws are rated critical and according to researchers at Armis — the IoT security company that discovered BlueBorne — they allow attackers to take over devices and execute malicious code, or to run Man-in-the-Middle attacks and intercept Bluetooth communications.
Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world.
"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email.
"Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."
Armis warns of attacks that combine physical presence with the BlueBorne flaws. For example, a delivery person dropping a package at a bank could carry weaponized code on a BlueTooth-enabled device. Once he enters the bank, his device infects others and grants attackers a foothold on a previously secured network.
Armis reported the vulnerabilities to major hardware and software vendors, such as Apple, Google, Microsoft, and the Linux community. Some patches are being developed and will be released today and in the coming days and weeks.
Nonetheless, some devices will never receive a BlueBorne patch as the devices have reached End-Of-Life and are not being supported. Armis estimates this number at around 40% of all Bluetooth-enabled devices, which is over two billion devices.
BlueBorne vulnerabilities are tracked under the following identifiers: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785 for Android devices; CVE-2017-1000251 and CVE-2017-1000250 for Linux; CVE-2017-14315 for iOS, and CVE-2017-8628 on Windows.
All Android phones, tablets, and wearables of all versions are affected by the four above mentioned vulnerabilities. Android devices using Bluetooth Low Energy only are not affected. Google patched the flaws in its September Android Security Bulletin.
Windows versions since Windows Vista are all affected. Microsoft said Windows phones are not impacted by BlueBorne. Microsoft secretly released patches in July for CVE-2017-8628, but only today included details about the fixed vulnerability in September's Patch Tuesday.
All Linux devices running BlueZ are affected by an information leak, while all Linux devices from version 3.3-rc1 (released in October 2011) are affected by a remote code execution flaw that can be exploited via Bluetooth. Samsung's Tizen OS, based on Linux, is also affected.
All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected, but the issue was patched in iOS 10.
✯ Disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely.
✯ Users of Android devices can determine if their device is vulnerable by downloading the BlueBorne Android App on the Google Play Store and use it to run a simple and quick check.
A technical report on the BlueBorne flaws is available here. Below is a video describing the BlueBorne attack, and demos for BlueBorne attacks on Android, Windows, and Linux devices.
If the BlueBorne flaws were weaponized in a Bluetooth worm, it would not be the first. Bluetooth worms have existed in the past and have caused many problems, especially for mobile carriers. One such example is Cabir.
Article updated to clarify that Microsoft silently patched the BlueBorne flaw in July.