Two billion devices still vulnerable to Blueborne flaws a year after discovery

Countless devices are still vulnerable to the set of Bluetooth-based security flaws 12 months after being made public.

Blueborne, a set of nine exploitable Bluetooth vulnerabilities, was thought to affect close to every laptop and mobile device which used the communication protocol when the bugs were found last year.

No desktop, mobile device, or operating system was safe from the vulnerabilities should they make use of the short-range wireless protocol -- which, in essence, meant that most modern devices could be compromised.

Blueborne bugs, which were first discovered by security researchers from Armis, permitted attackers in worst-case scenarios to gain complete control of both a device and any data stored within.

The airborne attack is difficult to protect against as it does not spread over an IP connection, and traditional antivirus solutions are no defense.

See also: Linux gets blasted by BlueBorne too

The exploit chain impacted Android, Windows, Linux, and iOS before iOS 10. Vendors have been issuing security patches to resolve the bugs, but it seems that far too many devices remain vulnerable.

At the time of discovery in 2017, it was estimated that 5.3 billion devices were vulnerable to attack. On Thursday, one year on since the reveal of Blueborne, Armis revealed that over two billion devices are still exposed to the security flaws.

CNET: State Department is failing at basic cybersecurity standards, senators say

In a blog post, Ben Seri, VP of Research at Armis said that these devices remain exposed "either because the users haven't updated them, or because they won't receive updates at all."

Armis says that two-thirds of vulnerable devices have received updates which protect against Blueborne. However, many aging devices which are approaching the end of their support cycles will not be protected.

In total, Armis estimates that billions of devices remain unshielded from Blueborne, categorized as below:

  • 768 million devices running Linux
  • 734 million devices running Android 5.1 (Lollipop) and earlier
  • 261 million devices running Android 6 (Marshmallow) and earlier
  • 200 million devices running affected versions of Windows
  • 50 million devices running iOS version 9.3.5 and earlier

The discovery of Blueborne also prompted security researchers to dive more deeply into Bluetooth-related attacks. Much to the dismay of vendors, a wide range of attack vectors and exploits have since been discovered.

TechRepublic: What to expect from cyber-attacks during an election year

Over the course of 2018, researchers have discovered Bluetooth vulnerabilities which allow attackers to capture and decrypt data; a Bluetooth flaw in Apple iOS, watchOS, and tvOS which compromises sandbox functionality, and five Bluetooth-related remote code execution flaws in Android (CVE-2017-13160, CVE-2017-13255, CVE-2017-13256, CVE-2017-13272, CVE-2017-13266).

It is not only the average user that needs to be aware of Blueborne or related Bluetooth attacks and whether or not their device is protected.

In the case of Blueborne, it appears the only way to stay protected is to make sure OS versions are as up-to-date as possible, and should an older, legacy device not receive such an update, a move towards a newer device may be the final solution.

See also: LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities

"An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks," Armis says. "Whether they're brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks."

Previous and related coverage