Newly discovered Bluetooth vulnerabilities expose billions of devices to hacking

Angelica Greene
September 13, 2017

According to Armis Labs, BlueBorne not only affects billions of smartphones, desktops, sound systems, and medical devices, but it requires no action from users. The exploit process is generally very fast, requiring no more than 10 seconds to complete, and it works even when the targeted device is already connected to another Bluetooth-enabled device. "A$3 s the Bluetooth stack is such an huge piece of code, the work we are presenting might be only the tip of the iceberg".

The security firm also said that BlueBorne is based on the vulnerabilities found in the various implementations, and it's anxious that other vulnerabilities may exist on other Bluetooth-connected platforms that it hasn't yet tested. ZDNet's own testing, using Armis' app to check local and nearby Android devices for the vulnerabilities, shows several BlackBerry phones are at risk, as well as other Android devices.

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date", an Armis spokesperson told Bleeping Computer via email.

Security company Armis has found a collection of eight exploits, collectively called Blueborne, that can allow an attacker access to your phone without touching it.

The security flaws, which can be executed silently and without detection on most devices, are believed to be the most widespread set of vulnerabilities by the number of devices affected. Such self-replicating exploits could quickly take over huge numbers of devices at conferences, sporting events, or in work places.

A newly discovered suite of security vulnerabilities in Bluetooth devices gives attackers the ability to take over any system that has its wireless protocol turned on.

"Just by having Bluetooth on, we can get malicious code on your device", Nadir Izrael, cofounder of Armis said.

The Bluetooth Pineapple vulnerability is also present on unpatched Windows systems, allowing the same type of MITM attack to occur. For Apple users, upgrading to any iOS 10 version will deflect any BlueBorne attacks. When patches are available, consumers should update their devices to the latest available operating systems in order to protect themselves from the attacks.

Bitcoin Fascination Looks a Lot Like 'Tulip Fever,' Jamie Dimon Says
CBOE has applied with USA regulators to launch a bitcoin futures contract and a bitcoin exchange traded fund on its venues. The JPMorgan head said there may be a "limited market" for the currency.

Anthony Joshua and Kubrat Pulev face off in Cardiff
That win was exceptional value as a spectacle, but Joshua himself has been critical of his display, in which he was knocked down. The Bulgarian has a top-three ranking with the WBC and WBO, as well as holding his number one status with the IBF.

Eight victims killed by gunman at Cowboys watch party in Plano identified
Rushin said the officer approached the house from the back and saw bodies in the backyard before confronting the suspect inside. Police confirmed that the gunman was Spencer Hight, 32, and that one of the victims was his estranged wife, Meredith Hight, 27.

Apart from these, Linux-based devices, Samsung TVs, and some drone models are also vulnerable to this attack.

Armis has also released a detailed technical whitepaper on the flaws.

But many older devices will not be patched.

Nonetheless, some devices will never receive a BlueBorne patch as the devices have reached End-Of-Life and are not being supported. Android devices using Bluetooth Low Energy only are not affected. Microsoft released an update today to all Windows versions that closes the vulnerability, with details listed here.

Microsoft said in an emailed statement that it patched its Windows-focused vulnerability back in July, but "withheld disclosure until other vendors could develop and release updates".

In an email to SiliconANGLE, a spokesperson for Aramis said that business should be aware that current endpoint protection, mobile data management, firewalls and network security solutions are not created to identify this kind of vulnerabilities and associated exploits.

Security researchers have discovered a set of severe vulnerabilities affecting devices that connect via Bluetooth.

The root cause behind the multiple vulnerabilites is an overly complex Bluetooth specification that spans 2822 pages. "This is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years". "The research illustrates the types of threats facing us in this new connected age".

Other reports by GizPress

Discuss This Article