New Bluetooth Vulnerability Appears, It’s Called Blueborne

Aside from computers and mobile devices, BlueBorne is expected to exploit TVs, watches, cars, and even medical appliances.

So what makes BlueBorne so serious?

“In the past, most Bluetooth vulnerabilities and security flaws originated in issues with the protocol itself, which were resolved in version 2.1 in 2007″.

Armis notes that a particularly distressing aspect of the Blueborne attack is that it can be used to infect systems owners thought were secured by not being connected to the internet.

If you’re anxious that your device is at risk, Armis recommends disabling Blutooth and using it as little as possible.

While using Bluetooth is a canny way to automatically infiltrate user devices without permission, it means BlueBorne is bound by the signal frequency’s short range, and only affects devices with Bluetooth turned on. Just as frightening is that it can spread through the air and attack other nearby devices, a trait that has drawn comparisons to the WannaCry ransomware that initially spread like wildfire. This can lead to the creation of massive botnets.

BlueBorne can affect devices running on popular platforms from Microsoft, Apple and Google. Since Bluetooth usually runs with privileges on operating systems, it doesn’t take too much work for the hacker to get in or even take control of the system. “We encourage other researchers to use this paper as a guideline for the various pitfalls that might exist in implementations of Bluetooth stacks”.

Essentially, iOS and Windows devices seem resilient against the attack.

“These vulnerabilities are fully operational”, according to Armis, “and can be successfully exploited”. Since then, newly found vulnerabilities were minor and did not allow remote code execution. “Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them”, said Yevgeny Dibrov, CEO of Armis.

Google released a patch for Android devices on Tuesday of last week; Linux and Microsoft released patches this Tuesday.

Microsoft had already issued updates on 11 July.

An nearly identical man-in-the-middle issue was found in the Android Bluetooth stack.

The spec’s complexity, Armis contends, has prevented researchers from thoroughly investigating its various implementations for flaws, leaving it full of holes. The exploit allows an attacker within 32 feet to hack a device and doesn’t require the target to click on malicious link or take any action. It’s also invisible to users, and worst of all, it can start spreading from device to device on its own. If you have an iOS or Android device, read on to learn about the new Bluetooth vulnerability and how you could potentially be impacted by this issue.

Google is patching Android 4.4.4 KitKat and later, leaving fewer than one-in-ten older Android devices without the patches.

“The latest vulnerability affecting billions of global Bluetooth devices is a sharp reminder to the importance on keeping devices patched and up-to-date”, Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged account management (PAM) solutions, told Infosecurity.