BlueBorne Bluetooth Vulnerability Hits Massive Swathe Of Devices

The only thing needed is the Bluetooth device has to be turned on, the Blueborne attack doesn't require paired with a malicious device or even set to discoverable mode.

Now, while we'll be the first to admit that this attack, christened Blueborne, has a limited audience given the relatively short range, imagine the havoc it could wreak in a simple coffee shop?

An airborne computer virus with the ability to infect billions of phones and other devices has been identified by internet security analysts.

"The automatic connectivity of Bluetooth, combined with the fact that almost all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive", researchers said.

Armis researchers have described BlueBorne in a detailed post.

A Bluetooth vulnerability dubbed BlueBorne, discovered in April, has been made public after companies including Google and Microsoft issued updates. The Bluetooth functionality in both OSes also runs with high system privileges, allowing the resulting infection to access sensitive system resources and survive multiple reboots. This can lead to the creation of massive botnets. The vulnerability found in Apple's Low Energy Audio Protocol (LEAP), which works on top of Bluetooth, enables a remote code execution attack that could allow an attacker to silently take over a device.

IoT security platform Armis on 12 September gave warnings about a new attack vector targeting Android, iOS, Windows and Linux systems using the Bluetooth function. "We tried to make this as coordinated as possible". For Apple TV, it's 7.2.2 and lower. BlueBorne was patched in iOS 10.

"BlueBorne" can spread via the air and attack devices through Bluetooth. But they have produced a video of it working on an Android device. You can download the Armis BlueBorne Scanner app from Google Play to check if your Android device is affected.

Microsoft has begun sending out security patches to all Windows versions as of 10 a.m., September 12, putting the details available online.

There are two specific methods attackers could use with exploit code. Google and Microsoft issued updates, while Apple detected no vulnerabilities in its latest OS.

"You could be simply walking down the street [and] you walk past someone who is vulnerable and suddenly they are infected", he said.

Linux devices running BlueZ are affected by the information leak flaw and those from version 3.3-rc1, released in October 2011, are affected by the remote code execution flaw.

Examples of impacted devices include Samsung Gear S3, Samsung Smart TVs, and Samsung Family Hub.

But that may change as it will continue to impact devices which no longer receive security updates and bug fixes. The attack method, which they're calling BlueBorne, is especially unsafe because it can spread without the victim doing anything or noticing it. "By spreading through the air, BlueBorne targets the weakest spot in the networks' defense - and the only one that no security measure protects".

As concerning as such an exploit is, consumers should take comfort in the fact that not only are the flaws fixable but some manufacturers have already taken steps to patch the vulnerabilities and keep users safe. Special attention should be paid while using Bluetooth on your phone, be alert regarding unsuspicious activities.

  • Arturo Norris