Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

One Year Later, Over 2 Billion Devices Still Exposed to BlueBorne Attacks

One year after researchers disclosed the Bluetooth vulnerabilities dubbed BlueBorne, more than 2 billion devices are believed to still be vulnerable to attacks, either because their owners have failed to install patches or due to the fact that no patches are available.

One year after researchers disclosed the Bluetooth vulnerabilities dubbed BlueBorne, more than 2 billion devices are believed to still be vulnerable to attacks, either because their owners have failed to install patches or due to the fact that no patches are available.

The BlueBorne vulnerabilities were disclosed in September 2017 by Armis Labs, a company that specializes in protecting Internet of Things (IoT) devices. Its researchers found that nine Bluetooth implementation flaws affected mobile, desktop and IoT systems, including Android, iOS, Windows and Linux devices.

Armis later also revealed that Amazon Echo and Google Home devices were also vulnerable to these attacks.

An attacker who is in range of the targeted device can exploit one of the BlueBorne flaws for remote code execution or man-in-the-middle (MitM) attacks without user interaction, simply by knowing the type of operating system used by the victim.Billions of devices still vulnerable to BlueBorne attacks

Armis, which estimated that the security holes initially impacted roughly 5.3 billion Bluetooth-enabled devices, warned that BlueBorne can be used to deliver malware – including a worm that spreads to other devices via Bluetooth – take control of phones and computers, and redirect victims to arbitrary websites.

Armis now estimates that roughly two-thirds of the 5.3 billion impacted systems received updates that should protect them against BlueBorne attacks. However, there are still over 2 billion devices that are vulnerable.

Of these, the company says roughly one billion are running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million). Another 50 million devices are running iOS 9.3.5 and earlier, which have not received patches.

Advertisement. Scroll to continue reading.

Armis also estimates that 200 million devices worldwide are running vulnerable versions of Windows, and 768 million devices are running an unpatched or unpatchable version of Linux. These Linux systems include servers, smartwatches, medical devices and industrial equipment.

“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” Armis VP of Research Ben Seri wrote in a blog post. “Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”

Armis pointed out that it had informed vendors about the BlueBorne vulnerabilities five months prior to making its findings public. However, many still only released patches tens and even hundreds of days after the public disclosure.

“Exploits like BlueBorne take a long time to go away,” Seri said. “This is because many of the impacted devices can’t be patched. In fact, we often have to wait until a device is retired or taken out of operation and turned off before it is no longer poses a risk. As we look across each of these platforms, Linux and Android have the longest tail, which aligns with what we are seeing in the marketplace.”

Armis noted that following the disclosure of the BlueBorne attack the cybersecurity industry once again started focusing on the threat posed by Bluetooth vulnerabilities. This led to the discovery of several potentially serious flaws affecting iOS and Android devices and even cars.

Most recently, in July, a team of researchers at the Israel Institute of Technology disclosed some Bluetooth implementation flaws that can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.