BlueBorne Vulnerability Scanner for Android
BlueBorne Vulnerability Scanner by Armis is a free application for Android devices that checks whether the device is vulnerable to BlueBorne.
BlueBorne is an attack vector that attacks devices via Bluetooth. Any device with Bluetooth may be vulnerable to attacks that are carried out over the air. The researchers state that the attack affects mobile, desktop and Internet of Things operating systems including Android, iOS, Windows and Linux.
Hackers may exploit these vulnerabilities to take control off devices via BlueTooth connections. What makes BlueBorne particularly worrying is the fact that it does not require that devices are paired, and that the Bluetooth processes run with high privileges on operating systems.
BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure â€œair-gappedâ€ networks, and spread malware laterally to adjacent devices.
Armis discovered eight vulnerabilities of which it classified four as critical. The main question for users is whether their devices are vulnerable, and that is what BlueBorne Vulnerability Scanner reveals.
BlueBorne Vulnerability Scanner
The application for Android is a simple program: install it, fire it up, and hit the scan button to have the device scanned for vulnerabilities.
The scan takes a few seconds to complete, and you are informed whether the device is vulnerable or not in the end.
If found vulnerable, the app suggests to check with the device manufacturer to find out if updates have been released already that patch the vulnerabilities.
Users who discover that this is not the case may want to turn off Bluetooth for the time being as it is probably the only option to protect the device from attacks targeting the vulnerabilities.
The other option that the device supports is to run a scan for devices in the vicinity to find out whether they are potentially vulnerable to the attack as well.
What about security updates?
Google released security patches for Android devices to its partners in early August of 2017. The vulnerabilities that affect Android are patched in the September 9th, 2017 security patch level for Android.
Microsoft released security updates in July 2017; Windows users who have not downloaded the patches yet and are using Bluetooth should download and install the patch to protect their devices against attacks.
Additional information on BlueBorne is available on the Armis website.
Now you: are your devices vulnerable?
That seems to be simple fearware and doesn’t work, I’m on a pixel XL and have the sept. patch but it says I’m vulnerable. Why peddle this crap to people?
And the average Android user will have no choice once running this app and being told they have this vulnerability, but to hope/pray/wait that their Android OEM will bother pushing out a fix and that their carrier will actually bother to certify it. I’m no Apple fanboy, but their control over their software remains one of the best arguments for choosing an iPhone over your generic LG, Samsung, Motorola device that will be lucky to see more than 1 or 2 software updates and one or two security patches per year in their life-cycle.
@Joe: Agreed completely. Whilst Apple is not free from problems and shady tactics, the upcoming iOS 11 will still be supported by the iPhone 5S, four years on from that device’s release. That’s some serious peace of mind, compared to the Android world.
So I have a choice between switching Bluetooth off (it takes a second, and it’s basically always off) apart from a few seconds when I have to transfer a file (because someone might care about hacking me through it and take an effort hoping that I will pass within 10 meters of him in exactly the same moment)… Or get a phone that can’t transfer files via Bluetooth at all. Also, I use wired headphones.
While I would agree this problem is partially overblown (as you mentioned, simply turning off Bluetooth negates the risk), it still highlights two fundamental problems I have with many modern Android phones. First, some manufacturers like Google, Moto, and HTC have eliminated the headphone jack from their phones. This means consumers who chose to get these phones, cannot use their Bluetooth headphones without some security risk. It also highlights that Android phones still suffer from worse security and software reliability than Apple. Apple is not perfect and I personally do not buy their products due to inflated costs associated with them, but they have the “system” down right. They control all the software, something that Google can only dream of. Yes, the Pixel/Nexus lines were “fixes” to this, but they remain niche devices in comparison to the millions of Samsung, LG, etc,. devises that consumers actually purchase.
I like Android and have never owned an iPhone, but for all the things Android does better than iOS, software/security updates remain the biggest glaring weakness to Android and Google.
I thought premium phones like Galaxy S8 provided frequent security updates as well.
My phone has Android 5 and it came out last year, I’m not afraid and I don’t feel at risk or missing out on something because it’s an older version, it runs perfectly fine and I don’t need or care for any updates as long as all apps work. I can’t even remember if I ever got an upfate for this phone. As long my Bluetooh stays disabled it’s all good.
Personally, I am always hesitant about applications that tell me there is something wrong but then don’t tell me what.
I am always getting caught up in a kind of “from who is this application? “Who could they work for?” or even ” Are they having my best interest in mind?”
Well the app is created by the company who discovered the vulnerability.
“Personally, I am always hesitant about applications that tell me there is something wrong but then don’t tell me what.”
Thank you — that’s an EXCELLENT point. Aside from all else (who, why, what) installation and use of such “vague” applications amounts to “excercises toward learned helplessness”.
Maybe useful three months from now? If you buy a new phone, install the app, and it reports “is (still) vulnerable”, would that empower you to demand a refund / exchange from the phone retailer?
for me bluetooth has never been turned on, never on any device I have ever owned.
are you afraid of bluetooth? Bluetoothobia?
(this is just a joke, but if it offends you, well, I’m sorry, I didn’t expect bluetoothobia is a real thing!)
if your Andoird phone is more than 1 year old and it is not the most expensive flagship, then there is no update and no fix. not much point in checking…
Exactly. I mean, Motorola has already said that the Moto G4/G4 Plus won’t even get Oreo. The Moto G4/G4 Plus was released in mid-2016. Good luck on that phone ever getting this patch…..
My Moto G4 may never get Oreo, but it does get security updates — eventually. While still stuck on Android 7.0, it got the June 2017 update (which does not fix this issue) just a week ago when this issue first got into the tech press. So maybe in another three or four months… Meanwhile, Bluetooth is turned off on that phone.
I’m missing cyanogenmod a lot. They did great job keeping my devices updated (unofficially).
My phone is two years old, it came with Lollipop, marshmallow and now Nougat. Just last week it got the 7.1.2 update.
Its a Wileyfox Swift v1, it cost me Â£99. I sent them a message asking if the September patch would be coming to my handset, they replied they’re working on it.
With the previous Heartbleed issue, the patch was released in 3-4 weeks.
So your statement “someone” does not apply to all cheap handsets.
I received the September patch last night, well that was quick.