Bluetooth Critical Vulnerabilities
Date: 13 September 2017
The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for multiple critical vulnerabilities affecting a broad range of Bluetooth enabled devices. Security researchers have named this group of Bluetooth vulnerabilities "BlueBorne".
CCIRC has become aware of multiple critical vulnerabilities in the implementation of the Bluetooth stack in multiple versions of Android, Apple iOS, Microsoft Windows and Linux based products, among others. The vulnerabilities could allow for a malicious threat actor to execute code, intercept wireless communications, abuse device functionality and/or perform man-in-the-middle attacks. While no known active exploitation has been reported, a working proof of concept is available.
Open source reporting describing the vulnerabilities suggests that exploitation does not require the targeted device to be set on discoverable mode or paired to the threat actor's device; furthermore, authorization is not required by the end user nor does it require authentication for the connection to be made.
CCIRC recommends information security teams to monitor for future vendor supplied updates and apply relevant security patches as they become available. Below is a list of the potentially affected products and their relevant versions:
Android phones, tablets, and wearables of all versions are affected by the four following vulnerabilities:
- CVE-2017-0781: Android Remote Code Execution Vulnerability
- CVE-2017-0782: Android Remote Code Execution Vulnerability
- CVE-2017-0783: Android Potential Man in the Middle Attack
- CVE-2017-0785: Android Bluetooth Information Leak Vulnerability
Android devices using Bluetooth Low Energy only are not affected.
The vulnerabilities affecting Marshmallow (6.0) and Nougat (7.0) Android devices were addressed in Google's Android Security Bulletin released September 12th, 2017.
The following vulnerability affecting iPhone, iPad and iPod touch devices with iOS 7 through 9 and Apple TV devices with version 7.2.2 and lower:
- CVE-2017-14315: Apple Low Energy Audio Remote Code Execution Vulnerability
The vulnerability affecting Apple devices has been resolved in iOS 10, released in September 2016.
Windows versions 10, 8.1, 7, Server 2016 and Server 2008 are affected by the following vulnerability:
- CVE-2017-8628: Microsoft Bluetooth Driver Spoofing Vulnerability
The vulnerability affecting Microsoft devices has been resolved by a security update released September 12, 2017.
Linux devices running BlueZ 5.46 and earlier are affected by:
- CVE-2017-1000250: Linux Bluetooth Information Leak Vulnerability
The vulnerability affecting Red Hat Enterprise Linux 7 and 6 devices has been resolved by a security update released by Red Hat on September 12, 2017.
Linux kernel versions 3.3-rc1 and up to and including 4.13.1 are affected by the following:
- CVE-2017-1000251: Linux Remote Code Execution Vulnerability
Red Hat Enterprise Linux 5 is not affected.
The vulnerability affecting Red Hat Enterprise Linux 7, 6 and MRG 2 devices has been resolved by a security update released by Red Hat on September 12, 2017.
CCIRC recommends those utilizing Bluetooth enabled products to consult the vendor for specific risk mitigation advice and patches available. In non-critical applications, CCIRC recommends considering disabling Bluetooth wireless communications. In mission critical or life sustaining applications, the potential consequences of disabling Bluetooth needs to be assessed along with an assessment of risk based on the environment in which the Bluetooth enabled device is being used. In addition, the Bluetooth protocol has a peer to peer wireless transmission range of 10-100 meters in many common mobile devices; this aspect should be taken into account when applying mitigation measures.
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: