Reduced Risk of “BlueBorne” Attacks on HID Products

harrehed's picture

You may have heard about the recent set of attacks on Bluetooth-enabled products, codenamed “BlueBorne,” which enables hackers to gain control over smart devices based on Android, iOS, Windows, Linux and other platforms without any action from the user.  Users of HID technology have asked how this cyber attack could potentially affect HID products. The good news is that the exposure for HID users is minimal.  Let me explain.   

First, based on existing information, the BlueBorne Vulnerability requires use of Bluetooth protocol capabilities that are not part of the Bluetooth Low Energy (BLE) specification used in HID iCLASS SE® readers or our embedded reader range: HID OMNIKEY 5127CK Mini and HID OMNIKEY 5427CK Gen2 Desktop.  These readers are, therefore, not susceptible to BlueBorne attacks.  Also unaffected is our underlying Seos® credential technology for HID Mobile Access®.  This highly secure and proven encryption platform is at the heart of delivering secure electronic identities to smart phones.

Only the BLE mobile phones that interact with HID Global readers and Seos credential technology are susceptible to BlueBorne attacks, which can be launched by someone within the Bluetooth range (normally around 10 meters range) of the smart device.

All iOS 9.3.5 (or lower) smart devices are affected, as well as all Android devices with Bluetooth capabilities that have not yet been updated to the latest Android security update released by Google in September.  Android users should monitor the HID blog for the most recent information.  To check if your Android device is vulnerable to BlueBorne, please download the BlueBorne Vulnerability Scanner from Google Play.

For Android users of HID Mobile Access who are concerned that your device is vulnerable to BlueBorne and, in worst case scenario, could be exploited to permit unauthorized access to your facility, we recommend that you disable Bluetooth and only use NFC to open doors.  We recommend that you resume using Bluetooth only after you receive a security update for your device from your network provider or phone manufacturer.  

If you are an iOS 9.3.5 (or lower) user of HID Mobile Access and are concerned that your device is vulnerable to BlueBorne, we recommend that you upgrade to the latest available iOS before enabling Bluetooth. These measures will ensure that your device cannot be taken over by someone and used to gain unauthorized entry.

We hope this information is helpful.  At HID Global, our primary focus is our customers' trust and confidence in our products, solutions and services.  We will continue to do our utmost to provide best practices and useful advice around important security topics like this BlueBorne vulnerability.