BlueBorne vulnerability in all the Bluetooth enabled device allows let an attacker penetrate the device and gain the complete control.
Every connected Bluetooth devices including mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux are vulnerable to this flaw regardless of the Bluetooth version.
After disclosing this critical Bluetooth vulnerability, many of the vendors issued patches but as of now more than 2 billion devices have not applied the patch which was released by respective vendors.
— Armis (@ArmisSecurity) September 13, 2018
BlueBorne Attack Vector
Since the BlueBorne attack could spread through the air, an attacker could easily spread to the vulnerable devices and there is no user interaction needed.
Government agencies and critical infrastructure at extreme risk because attackers can bypass the air-gapped internal networks via airborne attacks.
Unlike traditional malware or attacks, the user does not have to click a link or download a questionable file.
Also an attacker can bypass the traditional security measures so the attack interaction is unnoticed.
Still Billions of Devices are Running without Patch
Even though many of the vendors released a security patch, users don’t care about the seriousness of the vulnerability and becoming the victims to the attacker.
More than 1 Billion including Android and iOS devices are still don’t receive critical updates that patch and protect them from a BlueBorne attack.
- 768 million devices running Linux
- 734 million devices running Android 5.1 (Lollipop) and earlier
- 261 million devices running Android 6 (Marshmallow) and earlier
- 200 million devices running affected versions of Windows
- 50 million devices running iOS version 9.3.5 and earlier
In this case, some of the vendors still working on it for the update process but still vast numbers of device having a lot of problem to get the updates.
Major problem is still peoples are using the device that belongs to End-of-life or end-of-support from the respective vendors.
Devices running Linux, like medical devices and industrial equipment, can be difficult or impossible to patch with critical security updates.