Potentially billions of devices could be vulnerable to a set of Bluetooth flaws that could allow an attacker to...
completely take over target devices without any interaction by the victim.
Researchers at Armis Inc., an enterprise internet of things (IoT) security company based in Palo Alto, Calif., branded the collection of eight Bluetooth vulnerabilities as BlueBorne. BlueBorne is said to affect many Windows and Linux desktops, Android smartphones, some iOS devices, as well as an "expanding realm of IoT devices."
"The attack does not require the targeted device to be paired to the attacker's device, or even to be set on discoverable mode," Armis wrote in a blog post. "These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution, as well as man-in-the-middle attacks."
What the BlueBorne attack means
Brian NeSmith, CEO and co-founder at Arctic Wolf Networks, an information security company based in Sunnyvale, Calif., called BlueBorne "one of the most dangerous attacks because of its ability to spread without requiring the user to do anything."
"Bluetooth is so universal, it's impossible for people not to use it. Like catching the flu, you could be infected by just sitting next to somebody on the airplane that has been infected. By the time you start seeing symptoms, you could have spread it to hundreds more people," NeSmith told SearchSecurity. "What's even scarier is thinking about what could be next. The nightmare scenario could be sitting down at a coffee shop to do some emails and ransomware getting installed on your machine before you even connect to the Wi-Fi network. You'll never know what hit you, and you will never have seen it coming."
Armis disclosed the BlueBorne issues to Microsoft, Google, Apple, Samsung, the Linux kernel security team and to the Linux distributions security contact list. Armis noted that iOS 10 mitigated the issues so only iOS devices on versions lower than that would be vulnerable. The Sept. 9, 2017, security patch for Android contains fixes for the BlueBorne flaws, but few devices have received that update.
Otherwise, Armis said almost every computer, mobile device, smart TV or other IoT device "is endangered by at least one of the eight" BlueBorne Bluetooth vulnerabilities, regardless of what version of Bluetooth is used. Experts estimate the number of unpatched devices at risk could be more than 5 billion.
Brian NeSmithCEO and co-founder, Arctic Wolf Networks
Mike Buckbee, security engineer at Varonis, said BlueBorne is most concerning "not because of the nature of the attack, but because it affects a vast number of devices that are quickly becoming a part of our daily lives."
"Many of these devices will remain unpatched and vulnerable for years to come. It's not easy for the average person to ensure their laptop is running the latest OS. Add a dozen IoT-enabled devices into the mix, and it becomes nearly impossible to ensure every product and system is patched -- especially when patches aren't available for many of these items," Buckbee told SearchSecurity. "Attackers will continue to rapidly develop exploits to crack IoT devices to spy on us, steal our information, and even put our lives in danger."
Lamar Bailey, director of security research and development at Tripwire, said there may be only one mitigation tactic.
"Bluetooth is everywhere -- from your laptop to your front door lock. The vulnerabilities in BlueBorne are very wide spread and patches will be coming out for months," Bailey told SearchSecurty. "Bluetooth should be treated like any open port; if you do not need it, then turn it off. That may not always be easy with Bluetooth keyboards and mice/trackpads, but in situations where non-employees are within 40 feet of systems, like banks at teller windows, it is best to use wired input devices and not rely on Bluetooth."
Learn how Project Treble is aiming to speed up Android updates.
Find out how Bluetooth 5 compares to Wi-Fi HaLow.
Get info on how new technologies are reshaping man-in-the-middle attacks.