New Bluetooth vulnerability could affect millions of devices

13 Sep 2017

Bluetooth speaker. Image: successo images/Shutterstock

A new vulnerability, dubbed BlueBorne, means attacks are possible without any input from the user.

Armis is a security platform that specialises in securing internet of things (IoT) devices, and it recently published details of a new Bluetooth vulnerability that could potentially leave millions of devices vulnerable to remote attack.

According to Armis, BlueBorne is “an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices”. It can affect computers, mobile phones and a myriad of other IoT devices that use Bluetooth connectivity.

BlueBorne earns its name for the way it spreads through the air on Bluetooth connections, and it can be used to conduct remote code execution as well as man-in-the-middle attacks.

Virtually any device that runs on Windows, Linux or Android that hasn’t recently been patched is at risk of being compromised by an attacker within just 32ft. There are technically several different attack vectors spread across different operating systems.

No input required from the user

Unlike the majority of modern-day cyberattacks, BlueBorne doesn’t require potential victims to click on a link, download a file, or have their phone or computer paired with a malicious device.

“Bluetooth-enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all.

“This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.”

Exploiting Bluetooth

The discovery of BlueBorne was actually made earlier in the year, with Armis reaching out to Google, Microsoft, Apple, Samsung and Linux to notify them of the threat. Google and Microsoft issued updates, while Apple detected no vulnerabilities in its latest OS. Linux is also in the process of issuing updates, while Samsung has yet to respond to Armis.

The patch issued by Google was sent to device manufacturers a month ago but, with a variety of Android partners, this means the delivery time could be different for people, depending on the handset or device they currently use. A patch for the Google-made Pixel device line has already been implemented.

It’s worth noting, though, that there are millions of Android devices still in use that will not see another patch or update, or will be slow to receive one, rendering them especially vulnerable.

The Verge made the point that the potential attack has a number of limits, from the variation depending on respective operating systems, to the limited physical range of Bluetooth connectivity itself, with attacks only possible if your Bluetooth is turned on.

This news further affirms the need for innovative and watertight security solutions in the age of IoT, particularly with the proliferation of Bluetooth-connected devices such as speakers and e-health products.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects