One year after researchers disclosed the Bluetooth vulnerabilities dubbed BlueBorne, more than 2 billion devices are believed to still be vulnerable to attacks, either because their owners have failed to install patches or due to the fact that no patches are available.
The BlueBorne vulnerabilities were disclosed in September 2017 by Armis Labs, a company that specializes in protecting Internet of Things (IoT) devices. Its researchers found that nine Bluetooth implementation flaws affected mobile, desktop and IoT systems, including Android, iOS, Windows and Linux devices.
Armis later also revealed that Amazon Echo and Google Home devices were also vulnerable to these attacks.
An attacker who is in range of the targeted device can exploit one of the BlueBorne flaws for remote code execution or man-in-the-middle (MitM) attacks without user interaction, simply by knowing the type of operating system used by the victim.
Armis, which estimated that the security holes initially impacted roughly 5.3 billion Bluetooth-enabled devices, warned that BlueBorne can be used to deliver malware – including a worm that spreads to other devices via Bluetooth – take control of phones and computers, and redirect victims to arbitrary websites.
Armis now estimates that roughly two-thirds of the 5.3 billion impacted systems received updates that should protect them against BlueBorne attacks. However, there are still over 2 billion devices that are vulnerable.
Of these, the company says roughly one billion are running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million). Another 50 million devices are running iOS 9.3.5 and earlier, which have not received patches.
Armis also estimates that 200 million devices worldwide are running vulnerable versions of Windows, and 768 million devices are running an unpatched or unpatchable version of Linux. These Linux systems include servers, smartwatches, medical devices and industrial equipment.
“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” Armis VP of Research Ben Seri wrote in a blog post. “Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”
Armis pointed out that it had informed vendors about the BlueBorne vulnerabilities five months prior to making its findings public. However, many still only released patches tens and even hundreds of days after the public disclosure.
“Exploits like BlueBorne take a long time to go away,” Seri said. “This is because many of the impacted devices can’t be patched. In fact, we often have to wait until a device is retired or taken out of operation and turned off before it is no longer poses a risk. As we look across each of these platforms, Linux and Android have the longest tail, which aligns with what we are seeing in the marketplace.”
Armis noted that following the disclosure of the BlueBorne attack the cybersecurity industry once again started focusing on the threat posed by Bluetooth vulnerabilities. This led to the discovery of several potentially serious flaws affecting iOS and Android devices and even cars.
Most recently, in July, a team of researchers at the Israel Institute of Technology disclosed some Bluetooth implementation flaws that can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.
