Full Report
Researches from Armis Labs have identified a new attack vector, dubbed BlueBorne, that endangers mobile, desktop and IoT operating systems, including Android, iOS, Windows, and Linux.
Analysis Summary
# Vulnerability: BlueBorne Bluetooth Vulnerabilities
## CVE Details
*Note: BlueBorne is a collection of eight vulnerabilities. Key identifiers include:*
- **CVE ID:** CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785 (Android); CVE-2017-1000251, CVE-2017-1000250 (Linux); CVE-2017-8628 (Windows); CVE-2017-14315 (iOS)
- **CVSS Score:** Up to 8.8 (High/Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-200 (Information Exposure)
## Affected Systems
- **Products:** Android, iOS, Windows, and Linux-based platforms (including IoT devices).
- **Versions:**
- **Android:** All phones, tablets, and wearables (prior to Sept 2017 patch).
- **Windows:** All versions since Windows Vista.
- **Linux:** Devices running BlueZ (Kernel 3.3-rc1 and later).
- **iOS:** iOS 9.3.5 and lower; AppleTV 7.0.2 and lower.
- **Configurations:** Vulnerable if Bluetooth is enabled, regardless of whether the device is set to "discoverable" mode or paired with other devices.
## Vulnerability Description
BlueBorne is an attack vector utilizing multiple memory corruption and logical flaws in the implementation of various Bluetooth stacks. Unlike traditional attacks, it does not require user interaction or pairing.
- **RCE Flaws:** Several CVEs involve heap overflows in the Bluetooth Network Encapsulation Protocol (BNEP) and Service Discovery Protocol (SDP).
- **Man-in-the-Middle (MitM):** Logical flaws in the Bluetooth stack allow an attacker to impersonate a trusted device and redirect traffic.
- **Information Leak:** Flaws in SDP allow an attacker to leak memory contents to identify the device and bypass ASLR.
## Exploitation
- **Status:** PoC available; Research-driven exploitation demonstrated by Armis Labs.
- **Complexity:** Medium (Requires proximity but no user interaction).
- **Attack Vector:** Adjacent (Bluetooth range).
## Impact
- **Confidentiality:** High (Data theft and traffic sniffing via MitM).
- **Integrity:** High (Full system control via Remote Code Execution).
- **Availability:** High (Potential for crashing services or total device takeover).
## Remediation
### Patches
- **Android:** September 2017 Security Patch Level or later.
- **Windows:** Addressed in CVE-2017-8628 (September 2017 "Patch Tuesday").
- **Linux:** Update to the latest `bluez` and kernel versions (Fixes issued by major distributions like Debian, Ubuntu, RedHat).
- **iOS:** Update to iOS 10 or later.
### Workarounds
- **Disable Bluetooth:** Turning off Bluetooth on all vulnerable devices when not in use is the most effective temporary mitigation.
- **Isolation:** For IoT devices that cannot be patched, ensure they are physically isolated from areas where unauthorized individuals can gain Bluetooth proximity.
## Detection
- **Indicators of compromise:** Unusual Bluetooth pairing requests (though many BlueBorne flaws require no pairing); unauthorized BNEP service activations.
- **Detection methods and tools:** Armis released a "BlueBorne Scanner App" (for Android) to check if the local environment or device is vulnerable. Enterprise vulnerability scanners have since integrated checks for these CVEs.
## References
- **Armis Labs Research:** hxxps[://]www[.]armis[.]com/research/blueborne/
- **Microsoft Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2017-8628
- **Android Security Bulletin:** hxxps[://]source[.]android[.]com/security/bulletin/2017-09-01
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/2017/09/15/new-attack-vector-affecting-bluetooth-devices/