Donate
New BlueBorne Vulnerability to Bluetooth Devices – What happened and what to do about it Thumbnail
‹ Back
Security 15 September 2017

New BlueBorne Vulnerability to Bluetooth Devices – What happened and what to do about it

By Andrei Robachevsky Technology Programme Manager

Billions of Bluetooth-enabled devices may be exposed to a new remote attack called “BlueBorne”, even without user interaction or pairing. Affected systems include Windows, iOS (older than iOS 10), the Linux kernel, and Android. What should you do about it?

Bluetooth is ubiquitous, commonly connecting accessories like headsets and keyboards, but is also used throughout the brave new Internet of Things (IoT) world. An attacker exploiting these BlueBorne vulnerabilities can mount a man-in-the-middle attack, or even take control of a device without the user even noticing it.

The vulnerabilities were discovered by a security company called Armis earlier this year. Researchers reached out to the companies responsible for vulnerable implementations that lead to the coordinated disclosure (and patches) on September 12. (You can read more about our views on responsible disclosure and collaborative security in Olaf Kolkman’s blog post here.)

This case once again highlights how crucial it is that software update mechanisms are available to fix vulnerabilities, update configuration settings, and add new functionality to devices. There are challenges, both technological and economic, in having update capabilities ubiquitously deployed, as discussed in the recently published Report from the Internet of Things Software Update (IoTSU) Workshop 2016.

Vulnerabilities are discovered and patches are developed, but how many devices remain unpatched providing a toxic asset affecting security, user privacy, and the overall security of the ecosystem?

What You Can Do

  1. Make sure your software is always up to date. Patches for the BlueBorne vulnerability are available in the latest releases of Windows (see Microsoft bulletin), iOS, the Linux kernel, and Android (see September 2017 security bulletin). Unfortunately, this process is often under the control of the device manufacturer and patching may be delayed for various reasons. If a patch is not yet available, inquire about when an update will be offered.
  2. Disable Bluetooth if it is not essential that you use it, at least until your software is patched.
‹ Back

Related articles

Responsible Disclosure from a Collaborative Security Perspective
Responsible Disclosure from a Collaborative Security Perspective
Security1 February 2017

Responsible Disclosure from a Collaborative Security Perspective

I recently wrote about an agenda to mitigate the threats of insecure devices on the Internet of Things. One of...

Hit Pause: Take a Moment to Reflect on the Repercussions of the Recent Ransomware Attacks
Hit Pause: Take a Moment to Reflect on the Repercussions of the Recent Ransomware Attacks
Security6 July 2017

Hit Pause: Take a Moment to Reflect on the Repercussions of the Recent Ransomware Attacks

As these devastating global ransomware attacks illustrate, cybersecurity is not an issue that can be ignored. Any time a device...

On Approaches to Internet Security, Cybersecurity, and the Path Forward
On Approaches to Internet Security, Cybersecurity, and the Path Forward
Security16 October 2017

On Approaches to Internet Security, Cybersecurity, and the Path Forward

On 5 October, I had the pleasure of speaking at the New York Metro Joint Cyber Security Conference, which brings...

Join the conversation with Internet Society members around the world