BlueBorne (security vulnerability)

Last updated

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. [1] [2] [3] It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE - 2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017. [1] [2] [4] [5] [6] According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]." [1]

Contents

History

The BlueBorne security vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017. [1]

Technical Information

The BlueBorne vulnerabilities are a set of 8 separate vulnerabilities. [7] They can be broken down into groups based upon platform and type. There were vulnerabilities found in the Bluetooth code of the Android, iOS, Linux and Windows platforms: [8]

The vulnerabilities are a mixture of information leak vulnerabilities, remote code execution vulnerability or logical flaw vulnerabilities. The Apple iOS vulnerability was a remote code execution vulnerability due to the implementation of LEAP (Low Energy Audio Protocol). This vulnerability was only present in older versions of the Apple iOS. [17]

Impact

In 2017, BlueBorne was estimated to potentially affect all the 8.2 billion Bluetooth devices worldwide, [1] although they clarify that 5.3 billion Bluetooth devices are at risk. [18] Many devices are affected, including laptops, smart cars, smartphones and wearable gadgets. [1] [2] [4] [5] [6]

In 2018, after one year after the original disclosure, Armis estimated that over 2 billion devices were still vulnerable. [19] [20]

Mitigation

Google provides a BlueBorne vulnerability scanner from Armis for Android. [21] Procedures[ clarification needed ] to help protect devices from the BlueBorne security vulnerabilities were reported by September 2017. [22] [23] [24] [ needs update ]

Related Research Articles

<span class="mw-page-title-main">Bluetooth</span> A short-range wireless technology standard

Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances and building personal area networks (PANs). In the most widely used mode, transmission power is limited to 2.5 milliwatts, giving it a very short range of up to 10 metres (33 ft). It employs UHF radio waves in the ISM bands, from 2.402 GHz to 2.48 GHz. It is mainly used as an alternative to wired connections to exchange files between nearby portable devices and connect cell phones and music players with wireless headphones.

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

<span class="mw-page-title-main">Hospira</span> American pharmaceutical company

Hospira was an American global pharmaceutical and medical device company with headquarters in Lake Forest, Illinois. It had approximately 19,000 employees. Before its acquisition by Pfizer, Hospira was the world's largest producer of generic injectable pharmaceuticals, manufacturing generic acute-care and oncology injectables, as well as integrated infusion therapy and medication management systems. Hospira's products are used by hospitals and alternate site providers, such as clinics, home healthcare providers and long-term care facilities. It was formerly the hospital products division of Abbott Laboratories. On September 3, 2015, Hospira was acquired by Pfizer, who subsequently sold off the medical devices portion of Hospira to ICU Medical.

<span class="mw-page-title-main">KWallet</span> Password manager

KDE Wallet Manager (KWallet) is free and open-source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on a Linux-based OS and Its main feature is storing encrypted passwords in KDE Wallets. The main feature of KDE wallet manager (KWallet) is to collect user's credentials such as passwords or IDs and encrypt them through Blowfish symmetric block cipher algorithm or GNU Privacy Guard encryption.

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Reliable Datagram Sockets (RDS) is a high-performance, low-latency, reliable, connectionless protocol for delivering datagrams. It is developed by Oracle Corporation.

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005. It succeeded three existing lines of Cisco products:

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

<span class="mw-page-title-main">KRACK</span> Attack on the Wi-Fi Protected Access protocol

KRACK is a replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original speculative execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker and security researcher (born 1993)

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, The Express Tribune and TechCrunch. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award. In 2021, Islamabad High court designated Rafay Baloch as an amicus curia for a case concerning social media regulations.

<span class="mw-page-title-main">MikroTik</span> Company based in Riga, Latvia

MikroTik is a Latvian network equipment manufacturing company. MikroTik develops and sells wired and wireless network routers, network switches, access points, as well as operating systems and auxiliary software. The company was founded in 1996, and as of 2022, it was reported that the company employed 351 employees.

<span class="mw-page-title-main">Home Assistant</span> Home automation software

Home Assistant is free and open-source software used for home automation. It serves as an integration platform and smart home hub, allowing users to control smart home devices. The software emphasizes local control and privacy and is designed to be independent of any specific Internet of Things (IoT) ecosystem. Its interface can be accessed through a web-based user interface, by using companion apps for Android and iOS, or by voice commands via a supported virtual assistant, such as Google Assistant, Amazon Alexa, Apple Siri, and Home Assistant's own "Assist" using natural language.

Simjacker is a cellular software exploit for SIM cards discovered by AdaptiveMobile Security. 29 countries are vulnerable according to ZDNet. The vulnerability has been exploited primarily in Mexico, but also Colombia and Peru, according to the Wall Street Journal, where it was used to track the location of mobile phone users without their knowledge.

References

  1. 1 2 3 4 5 6 Staff (12 September 2017). "The Attack Vector "BlueBorne" Exposes Almost Every Connected Device". Armis.com. Retrieved 5 January 2018.
  2. 1 2 3 Staff (12 September 2017). "BlueBorne - Protecting the Enterprise from BlueBorne" (PDF). Armis.com. Archived from the original (PDF) on 20 December 2017. Retrieved 5 January 2018.
  3. Biggs, Jpohn (12 September 2017). "New Bluetooth vulnerability can hack a phone in 10 seconds". TechCrunch . Retrieved 5 January 2018.
  4. 1 2 Newman, Lily Hay (13 September 2017). "Hey, Turn Bluetooth Off When You're Not Using It". Wired . Retrieved 5 January 2018.
  5. 1 2 Hildenbrand, Jerry (16 September 2017). "Let's talk about Blueborne, the latest Bluetooth vulnerability". AndroidCentral.com. Retrieved 5 January 2018.
  6. 1 2 Kerner, Sean Michael (12 September 2017). "BlueBorne Bluetooth Flaws Put Billions of Devices at Risk". eWeek . Retrieved 5 January 2018.
  7. "BlueBorne Whitepaper" (PDF). Archived (PDF) from the original on 5 May 2020.
  8. "An Analysis of BlueBorne: Bluetooth Security Risks". Decipher. Retrieved 28 July 2021.
  9. "NVD - CVE-2017-1000251". nvd.nist.gov. Retrieved 28 July 2021.
  10. "NVD - CVE-2017-1000250". nvd.nist.gov. Retrieved 28 July 2021.
  11. "NVD - CVE-2017-0785". nvd.nist.gov. Retrieved 28 July 2021.
  12. "NVD - CVE-2017-0781". nvd.nist.gov. Retrieved 28 July 2021.
  13. "NVD - CVE-2017-0782". nvd.nist.gov. Retrieved 28 July 2021.
  14. "NVD - CVE-2017-0783". nvd.nist.gov. Retrieved 28 July 2021.
  15. "NVD - CVE-2017-8628". nvd.nist.gov. Retrieved 28 July 2021.
  16. "NVD - CVE-2017-14315". nvd.nist.gov. Retrieved 28 July 2021.
  17. "What is BlueBorne? An Apple Device FAQ". The Mac Security Blog. 22 September 2017. Retrieved 28 July 2021.
  18. Smith, Ms (12 September 2017). "5.3 billion devices at risk for invisible, infectious Bluetooth attack". CSO Online. Retrieved 28 July 2021.
  19. Osborne, Charlie. "Two billion devices still vulnerable to Blueborne flaws a year after discovery". ZDNet. Retrieved 28 July 2021.
  20. "BlueBorne: One Year Later". Armis. 13 September 2018. Retrieved 28 July 2021.
  21. Staff (12 September 2017). "BlueBorne Vulnerability Scanner by Armis - 2017". Google . Retrieved 5 January 2018.
  22. Staff (15 September 2017). "Information on new BlueBorne security vulnerability". Cornell University . Retrieved 5 January 2018.
  23. Meyer, David (13 September 2017). "How to Check If You're Exposed to Those Scary BlueBorne Bluetooth Flaws". Fortune . Retrieved 5 January 2018.
  24. Geiger, Erik (20 September 2017). ""BlueBorne" Exposes Millions of Bluetooth Devices". Wisconsin University . Archived from the original on 5 January 2018. Retrieved 5 January 2018.