Check Devices for BlueBorne, a Silent Bluetooth Vulnerability

BlueBorne logoThe flaw resembles a digital airborne virus.

By Rick Richardson

A set of previously unknown security vulnerabilities in Bluetooth technology reportedly left billions of devices at risk of hacking, a team of Internet-of-Things (IoT) researchers has said.

MORE TECH THIS WEEK: Securing the Data Center on Wheels | Selfie App Spots Early Cancer Signs | Nums Turns Your MacBook Trackpad into a Keypad | U.S. Company to Microchip Some Employees | Predicting Flu Outbreaks Faster in the New Digital World
GoProCPA.comExclusively for PRO Members. Log in here or upgrade to PRO today.

Experts from Armis, a security firm, claimed last month to have found a series of flaws that put up to 5.3 billion devices with Bluetooth capabilities at risk of a highly infectious type of attack. It could reportedly take over smartphones, smartwatches, TVs and laptops.

Based on a proof of concept, the security gaps – which have been dubbed "BlueBorne" – could be used by hackers to spread malware or intercept data.

Unlike traditional cyberattacks, the Bluetooth method doesn't need a victim to fall for a malware-ridden link or download a booby-trapped document.

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date and can enable a complete takeover of the target device," experts asserted.

If Bluetooth is enabled, Armis explained in a YouTube video, a hacker could connect to the device and force surrounding web-connected technology to become a "carrier" for the virus.

"These silent attacks are invisible to traditional security controls and procedures," said Yevgeny Dibrov, the chief executive of Armis. "Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," he added.

"Previously identified flaws found in Bluetooth were primarily at the protocol level," Armis claimed. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."

In many ways, if it takes hold, the flaw resembles a digital airborne virus.

While the total number of devices potentially at risk is astounding, there have seemingly been no known cases of hackers using the technique to exploit Bluetooth in the wild. But that may change as it will continue to impact devices that no longer receive security updates and bug fixes.

"The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive," researchers said.

"If no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained," Armis added. "When exploits like these are found on technology that is integrated into almost every device we use, it's a real concern."

What devices are affected?

Android: All Android phones, tablets and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system. Two of these allow remote code execution, one results in information leak and the last allows an attacker to perform a Man-in-The-Middle attack.

Google has issued a security update patch and notified its partners. It was available to Android partners on Aug. 7 and made available as part of the September Security Update and Bulletin on Sept. 4.

Windows: All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability, which allows an attacker to perform a Man-in-The-Middle attack.

Microsoft issued security patches to all supported Windows versions on July 11, with coordinated notification on Sept. 12. Windows users should check with Microsoft for the latest information.

iOS: All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. iOS 10 fixed the problem, so no new patch is needed to deal with it. Users should upgrade to the latest iOS or tvOS version available.

Leave a Reply