--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'BlueBorne Attack against Bluetooth' version: '1.1' number: '2017-018' fontsize: '11pt' --- _History:_ * _13/09/2017 --- v1.0 -- Initial publication_ * _14/09/2017 --- v1.1 -- Corrected some typos_ # Summary A new attack vector endangering major mobile, desktop, and IoT operating systems and the devices using them -- including Android, iOS, Windows, and Linux -- has been revealed by Armis Labs [1]. The new attack is dubbed **BlueBorne**, as it spreads through the air (_airborne_) and attacks devices via _Bluetooth_. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. _BlueBorne_ allows attackers to take control of devices, access corporate data and networks, penetrate secure _air-gapped_ networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released [1]. # Technical Details The full description of the vulnerabilities and security flaws can be found in the whitepaper [2]. The attack is notable for its unusual reach and effectiveness. Essentially any Android, Linux, or Windows device that has not been recently patched and has Bluetooth turned on can be compromised by an attacking device in the Bluetooth range (around 10 meters). The attack does not require device users to click on any links, connect to a rogue Bluetooth device, or take any other action. The exploit process is generally very fast, requiring no more than 10 seconds to complete, and it works even when the targeted device is already connected to another Bluetooth-enabled device [3]. # Products Affected * Android phones, tablets, and wearables -- except those using only Bluetooth Low Energy (CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785). * Linux devices running BlueZ^[Linux Bluetooth protocol stack -- ] version `5.46` and earlier are affected by the information leak vulnerability (CVE-2017-1000250). * Linux devices from kernel version `3.3-rc1` (released in October 2011) up to and including kernel version `4.13.1` are affected by the remote code execution vulnerability (CVE-2017-1000251). * Microsoft Windows computers since Windows Vista are affected by the _Bluetooth Pineapple_ vulnerability, which allows an attacker to perform a man-in-the-middle attack (CVE-2017-8628). * Apple iOS: iPhone, iPad and iPod touch devices with iOS `9.3.5` and lower, and AppleTV devices with version `7.2.2` and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. # Recommendations * Apply patches for the above mentioned vulnerabilities provided by the respective vendors and OS maintainers. * As workaround -- consider entirely disabling Bluetooth. # References [1] [2] [3]