There are technically several distinct attack vectors spread across current mobile operating systems. As Armis noted in its BlueBorne info page, Apple’s iOS beyond version 9.3.5 are vulnerable, but that vector was ironed out in iOS 10. Microsoft released an update today to all Windows versions that closes the vulnerability, with details listed here. Google’s Android, however, is spread across so much hardware that the onus to update falls on third-party manufacturers, who might not patch out the vulnerability in time. For its part, Google released protective patches for Nougat (7.0) and Marshmallow (6.0) as part of its September security update.
“We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe,” a Google spokesperson told Engadget.
The other wildcard here: Linux-based devices. Armis informed Linux device operators of the vulnerability very late (last month, as opposed to back in April when it divulged to the other mobile OS providers). Accordingly, Armis wasn’t aware of patches for Linux operating systems, meaning anything running BlueZ are vulnerable to one of the vectors, while those with Linux version 3.3-rc1 can be attacked by another. This includes Samsung’s Gear S3 smartwatch, its smart TVs and family hub.
While using Bluetooth is a canny way to automatically infiltrate user devices without permission, it means BlueBorne is bound by the signal frequency’s short range, and only affects devices with Bluetooth turned on. But since the exploit is so different to the typical attack vector, users wouldn’t even be alerted if their device gets compromised, leading to a hypothetical nightmare scenario (detailed in the video below) wherein a user spreads the “infection” to vulnerable phones and tablets simply by walking in their vicinity.