Blueborne Bluetooth vulnerability


#1

https://www.armis.com/blueborne/

BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector.

affect all devices running on Android, Linux, Windows, and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally.

All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).

Examples of impacted devices:

Google Pixel
Samsung Galaxy
Samsung Galaxy Tab
LG Watch Sport
Pumpkin Car Audio System
Google has issued a patch and notified its partners. It will be available for:

Nougat (7.0)
Marshmallow (6.0)
Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level,


#2

This sounds pretty nasty.
I hope we get an update for our Android 5.1 phones (MotoX/X2).
The last Android Security Patch Level I have is 8/1/2016.
If not, the only recourse we have is to turn off Bluetooth, which is not good.
I use wireless headphones, external speakers, car stereo, Tile key fob, etc.


#3

It is nasty.

Google has released patches, some looking like they are going back to Android 4.4.4. Details here:

https://source.android.com/security/bulletin/2017-09-01

However, getting an Android patch to your phone seems to require actions from Google (done), Motorola (or Samsung in my case) as the manufacturer and Republic Wireless as the service provider.

I don’t know about Motorola, but Samsung seems to have totally dropped the ball and refuses to tell anyone anything (despite being contacted by Armis well before the exploit became public). Republic Wireless seems to know nothing because the manufacturers aren’t talking either.

All around a bad situation.


#4

I don’t expect any updates to the Legacy Phones
Motorola considers them at end of lifetime (plus any OS update would need to be Republic to reassemble a team to test the OS before sending to Sprint Labs for certification (the last OS update took over a year before it was pushed to Republic Moto X)

with 3.0 phones is all up to the OEMs


#5

drm186,

I’ve been having trouble finding information on End of Support/End of Life of various phones from the manufacturers. Do you have links to this information you can share? Particularly for Samsung and Motorola, since they have been discussed here.

Thank you.


#6

Motorola history since the Moto xz 1st Gen has been 2 years support on flagships, 1-2 years on midline and budget phones,
For flagships 2 years or 2 major is updates seams to be the norm, even Google only guarantee 2 years support on Nexus and pixel phones[even though they may still release an update for older phoned


#7

My Moto X tests VULNERABLE for the Bluetooth Vulnerability. Update ???


#8

Yes, it is vulnerable. Probably best to keep Bluetooth turned off most of the time.


#9

Given the topic here, this is a good reference: