BlueBorne a Silent Bluetooth Vulnerability

A set of previously unknown security vulnerabilities in Bluetooth technology reportedly left billions of devices at risk of hacking, a team of Internet-of-Things (IoT) researchers has said.

Experts from Armis, a security firm, claimed last week to have found a series of flaws that put up to 5.3 billion devices with Bluetooth capabilities at risk of a highly-infectious type of attack. It could reportedly take over smartphones, smartwatches, TVs, and laptops.

Based on a proof-of-concept, the security gaps – which have been dubbed "BlueBorne" – could be used by hackers to spread malware or intercept data.

Unlike traditional cyberattacks, the Bluetooth method doesn't need a victim to fall for a malware-ridden link or download a booby-trapped document.

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date and can enable a complete takeover of the target device," experts asserted.

If Bluetooth is enabled, Armis explained in a YouTube video; a hacker could connect to the device and force surrounding web-connected technology to become a "carrier" for the virus.

"These silent attacks are invisible to traditional security controls and procedures," said Yevgeny Dibrov, the chief executive of Armis, in a statement.

"Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," he added.

"Previously identified flaws found in Bluetooth were primarily at the protocol level," Armis claimed. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."

In many ways, if it takes hold, the flaw resembles a digital airborne virus.

While the total number of potentially-at-risk devices is astounding, there has seemingly been no known cases of hackers using the technique to exploit Bluetooth in the wild.

But that may change as it will continue to impact devices which no longer receive security updates and bug fixes.

"The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive," researchers said.

"If no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained," he added. "When exploits like these are found on technology that is integrated into almost every device we use, it's a real concern."

What devices are affected?

Android. All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution, one results in information leak, and the last allows an attacker to perform a Man-in-The-Middle attack.

Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin on September 4, 2017. 

Windows. All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack.

Microsoft issued security patches to all supported Windows versions on July 11, 2017, with coordinated notification on Tuesday, September 12. Windows users should check with the Microsoft release here for the latest information.

iOS. All iPhone, iPad, and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. iOS 10 fixed the problem, so no new patch is needed to deal with it. Users should upgrade to the latest iOS or tvOS version available.

Subscribe to Technology This Week