Newly discovered Bluetooth vulnerabilities expose billions of devices to hacking

Angelica Greene
September 13, 2017

According to Armis Labs, BlueBorne not only affects billions of smartphones, desktops, sound systems, and medical devices, but it requires no action from users. The exploit process is generally very fast, requiring no more than 10 seconds to complete, and it works even when the targeted device is already connected to another Bluetooth-enabled device. "A$3 s the Bluetooth stack is such an huge piece of code, the work we are presenting might be only the tip of the iceberg".

The security firm also said that BlueBorne is based on the vulnerabilities found in the various implementations, and it's anxious that other vulnerabilities may exist on other Bluetooth-connected platforms that it hasn't yet tested. ZDNet's own testing, using Armis' app to check local and nearby Android devices for the vulnerabilities, shows several BlackBerry phones are at risk, as well as other Android devices.

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date", an Armis spokesperson told Bleeping Computer via email.

Security company Armis has found a collection of eight exploits, collectively called Blueborne, that can allow an attacker access to your phone without touching it.

The security flaws, which can be executed silently and without detection on most devices, are believed to be the most widespread set of vulnerabilities by the number of devices affected. Such self-replicating exploits could quickly take over huge numbers of devices at conferences, sporting events, or in work places.

A newly discovered suite of security vulnerabilities in Bluetooth devices gives attackers the ability to take over any system that has its wireless protocol turned on.

"Just by having Bluetooth on, we can get malicious code on your device", Nadir Izrael, cofounder of Armis said.

The Bluetooth Pineapple vulnerability is also present on unpatched Windows systems, allowing the same type of MITM attack to occur. For Apple users, upgrading to any iOS 10 version will deflect any BlueBorne attacks. When patches are available, consumers should update their devices to the latest available operating systems in order to protect themselves from the attacks.

Senators Introduce Amendment To Fight Trump's Transgender Ban
Susan Collins would prevent the military from kicking out transgender service members exclusively based on their gender identity, according to a copy of the language obtained by CNN .

Boyfriend of slain Fargo woman awarded custody of their newborn daughter
Matheny, along with LaFontaine-Greywind's parents, Norberta and Joe Greywind, saw the baby girl for the first time on August 30. Brooke Crews and her boyfriend, William Hoehn, are charged with conspiracy to commit murder and kidnapping in Greywind's death.

Korea warns United States of 'greatest pain' over UN sanctions drive
Rajiv Biswas, Asia Pacific chief economist for IHS Markit, also said he expects that Pyongyang can weather the import reduction. While the U.S. and China agree the Korean peninsula should be rid of nuclear weapons, they differ on how best to achieve that.

Apart from these, Linux-based devices, Samsung TVs, and some drone models are also vulnerable to this attack.

Armis has also released a detailed technical whitepaper on the flaws.

But many older devices will not be patched.

Nonetheless, some devices will never receive a BlueBorne patch as the devices have reached End-Of-Life and are not being supported. Android devices using Bluetooth Low Energy only are not affected. Microsoft released an update today to all Windows versions that closes the vulnerability, with details listed here.

Microsoft said in an emailed statement that it patched its Windows-focused vulnerability back in July, but "withheld disclosure until other vendors could develop and release updates".

In an email to SiliconANGLE, a spokesperson for Aramis said that business should be aware that current endpoint protection, mobile data management, firewalls and network security solutions are not created to identify this kind of vulnerabilities and associated exploits.

Security researchers have discovered a set of severe vulnerabilities affecting devices that connect via Bluetooth.

The root cause behind the multiple vulnerabilites is an overly complex Bluetooth specification that spans 2822 pages. "This is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years". "The research illustrates the types of threats facing us in this new connected age".

Other reports by GizPress

Discuss This Article

FOLLOW OUR NEWSPAPER