BlueBorne Bluetooth Attack Puts 5 Billion Devices at Risk


"In theory, to be safe on these devices, Bluetooth needs to be disabled until a patch is applied", said Mark James, an expert at cybersecurity firm ESET.

Bluetooth security risks are not a new thing, though most past attacks have involved misconfiguration or the lack of PIN authentication to secure a Bluetooth connection.

"As that keeps going on more and more people would become infected without even knowing it", Mr Miller said.

A new attack vector called BlueBorne could put billions of connected devices at risk of a cyberattack, according to research from Armis Labs.

"The automatic connectivity of Bluetooth, combined with the fact that almost all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive", researchers said. And devices running Bluetooth turn out to be fairly easy to identify with network sniffing tools, even when set to be non-discoverable.

"BlueBorne concerns us because of the medium by which it operates", the Armis Labs briefing on BlueBorne states.

The good news is that security researchers have detected it before hackers have had a chance to exploit it, and they have alerted tech companies. WannaCry allegedly used the NSA's EternalBlue vulnerability and infected computers on the same network, even though they never downloaded the virus. Zero-day vulnerabilities are security flaws that are found before developers have a chance to fix them. It aims to access corporate data and networks, break through "air-gapped" networks and act as a seed in the spreading of malware to other connected devices. Armis Labs explained that through improper validation, BlueBorne is able to manipulate Bluetooth's tethering feature to share and data and is able to spread data.

It would seem that Apple devices running iOS10 are not affected, those running an earlier version of the mobile OS of Apple.

Microsoft has begun sending out security patches to all Windows versions as of 10 a.m., September 12, putting the details available online.

Google and Microsoft both subsequently released updates by the beginning of September 2017, for their affected devices, which included all Android phones of every version and every Windows computer since Windows Vista. Microsoft is expected to release patches later today. Google automatically updates its own devices, such as the Pixel, but when it comes to the wider Android ecosystem, all it can do is make updates available to manufacturers and hope they relay them to their customers' phones and tablets. Armis estimates this number at around 40% of all Bluetooth-enabled devices, which is over two billion devices.

But that may change as it will continue to impact devices which no longer receive security updates and bug fixes.

It's time to update your device to avoid any mishap.

"Don't be surprised if you have to go see your security dentist on this one", said Ralph Echemendia, CEO of Seguru. In one scenario, the flaws can be used to build a worm-like attack where one compromised device automatically infects others when they come in its Bluetooth range.

"There could be quite a few more coming after this", Mr Miller said.