BlueBorne
What is BlueBorne?
BlueBorneA 2017 set of Bluetooth vulnerabilities discovered by Armis that allowed remote code execution and man-in-the-middle attacks on Android, iOS, Linux, and Windows.
BlueBorne is a family of eight Bluetooth vulnerabilities disclosed by security firm Armis in September 2017. The flaws affected Bluetooth stacks on Android, iOS, Linux, and Windows and could be exploited without pairing and without any user interaction — the target device only had to have Bluetooth switched on. Because Bluetooth runs with high privileges and the attack needs no connection request, BlueBorne could spread airborne from device to device, worm-style, within radio range.
The eight CVEs
The set spanned four platforms: CVE-2017-0781 and CVE-2017-0782 (Android RCE in the BNEP/PAN service), CVE-2017-0783 (Android MitM via PAN profile) and CVE-2017-0785 (Android information leak); CVE-2017-1000251 (a stack overflow in the Linux BlueZ kernel L2CAP handling giving kernel RCE) and CVE-2017-1000250 (Linux SDP information leak); CVE-2017-8628 (Windows Bluetooth MitM); and CVE-2017-14315 (Apple's proprietary LEAP protocol). Armis estimated more than 5.3 billion devices were initially exposed.
Attack flow
flowchart LR
A[Attacker device<br/>Bluetooth in range] --> B[Enumerate nearby<br/>Bluetooth MACs<br/>even non-discoverable]
B --> C[Send crafted L2CAP/SDP<br/>packets — no pairing]
C --> D[Memory corruption in<br/>target Bluetooth stack]
D --> E{Exploit goal}
E --> F[Remote code execution<br/>at high privilege]
E --> G[Man-in-the-middle<br/>traffic interception]
F --> H[Worm to next<br/>in-range device]Patches from Google, Microsoft, Linux distributions, and Apple followed in September 2017, but countless unpatched IoT and embedded devices stayed vulnerable for years. BlueBorne became a milestone in proximity-based wireless research, foreshadowing later stack flaws such as BleedingTooth (2020) and BrakTooth (2021). Defences: patch promptly, disable Bluetooth when unused, and segment or replace embedded devices that no longer receive firmware updates.
● Examples
- 01
September 2017 Armis disclosure of eight Bluetooth flaws affecting 5.3+ billion devices.
- 02
Exploitation of CVE-2017-1000251 in the Linux BlueZ stack to gain kernel code execution.
● Frequently asked questions
What is BlueBorne?
A 2017 set of Bluetooth vulnerabilities discovered by Armis that allowed remote code execution and man-in-the-middle attacks on Android, iOS, Linux, and Windows. It belongs to the Attacks & Threats category of cybersecurity.
What does BlueBorne mean?
A 2017 set of Bluetooth vulnerabilities discovered by Armis that allowed remote code execution and man-in-the-middle attacks on Android, iOS, Linux, and Windows.
How do you defend against BlueBorne?
Defences for BlueBorne typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BlueBorne?
Common alternative names include: BlueBorne attack vector.