• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Wearable technologies
      • Use of survey software
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Incident Response Webservice
      • SSL/TLS certificates
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures
    • Reporting Suspected HIPAA Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
    • File sharing & copyright
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • BlueBorn vulnerabilities

Critical vulnerability in Bluetooth implementations

Wednesday, September 13, 2017

Background

On Sept. 12, 2017, Armis Labs announced newly discovered vulnerabilities in the Bluetooth implementations of Windows, Android, Linux, and iOS. These vulnerabilities were disclosed to the manufacturers in April 2017 and they have been working with Armis Labs on a coordinated announcement yesterday.

The complete list of vulnerabilities and corresponding CVE numbers are listed:

  1. Linux kernel RCE vulnerability - CVE-2017-1000251
  2. Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250
  3. Android information Leak vulnerability - CVE-2017-0785
  4. Android RCE vulnerability #1 - CVE-2017-0781
  5. Android RCE vulnerability #2 - CVE-2017-0782
  6. The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783
  7. The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628
  8. Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315

Impact

The impact varies between OS's to some degree, but demonstrated exploits have performed remote code execution on Android, Linux and iOS. Man-in-the-Middle (MITM) attacks have been demonstrated for Windows and Android. These attacks are successful without any user interaction or Bluetooth pairing.

The attacks are not detectable or preventable with traditional network security mechanisms. Currently, there are no known workarounds except to patch or turn off Bluetooth services.

Platforms affected

  • Windows versions 7 and later that have not applied the July 2017 roll-up patches.
  • All versions of Android without patches released on Sept. 9, 2017.
  • All versions of Linux kernel 3.3-rc1 thru 4.13.1
  • All iOS devices running versions of iOS prior to iOS 10.

Local observations

Currently, there are no known exploits in the wild for these vulnerabilities. However, UISO will continue to monitor threat intelligence sources for evidence of exploits in the wild.

UISO's recommendations

  • Windows users should apply the July 2017 roll-up security patches if not already applied.
  • Android users should check with their device manufacturers for recent security updates and apply as soon as possible.
  • Linux administrators should apply security patches from their respective distribution vendors as the patches become available. RedHat and Ubuntu have already released patches.
  • Upgrade iOS devices to version 10.
  • Disable Bluetooth services on any unpatched devices until the appropriate patches/upgrades can be applied to the device.

UISO recommends as a general security principle that Bluetooth services be disabled on devices unless specifically required.

Workarounds

Disable Bluetooth services for unpatched devices.

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | College Scorecard | Privacy Notice | Copyright © 2024 The Trustees of Indiana University