'Blueborne' Bluetooth vulnerability already patched in Windows 10 Mobile

Published by at

You may have heard the 'Blueborne' vulnerability being discussed in the media, a way for local (as in near you) attackers to poke around and potentially infect your PC, your phone, and so on? Although the attack vector is small (someone within 30 feet of you with malicious intent or with a fatally compromised device), it's still a worry for most of us. But it shouldn't be, since Microsoft patched the vulnerability recently and the update for all production Windows 10-running devices this week included this.

See here for the full Microsoft security guidance database and search for 'CVE-2017-8628', for example. This vulnerability was listed as:

A spoofing vulnerability exists in Microsoft's implementation of the Bluetooth stack. An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer. The attacker can then monitor and read the traffic before sending it on to the intended recipient.

To exploit the vulnerability, the attacker needs to be within the physical proximity of the targeted user, and the user's computer needs to have Bluetooth enabled. The attacker can then initiate a Bluetooth connection to the target computer without the user's knowledge.

The security update addresses the vulnerability by correcting how Windows handles Bluetooth requests.

Raising two questions. Does all this apply to Windows 10 Mobile as well? I believe so, the appropriate system code here is common to both phone and PC. And secondly, what about Insiders on the Fast ring, on the 'feature2' branch? I'm not 100% sure that this includes the patch, but a) if it doesn't, then it's only a week or two to the next fix-up anyway, and b) the number of 'feature2'-running, Fast ring Insiders is miniscule in the world's mobile-owning population - either way, don't worry about it.

The big takeaway here is that Android phones and tablets are by far the most vulnerable to the Blueborne attack, mainly because the vast majority of Android devices aren't kept remotely up to date, leaving a rich pool of vulnerable users across the world. Strike one for Windows 10 Mobile security?