Some phones and laptops are vulnerable to 'BlueBorne' exploit

Some phones and laptops are vulnerable to 'BlueBorne' exploit

To launch an attack, malware can connect to a target device and remotely execute code on the phone, tablet, computer, or smart device, which lets the malware spread further to other devices.

BlueBorne is a set of eight flaws that collectively can be used to attack iOS, Android, WIndows and macOS devices.

"Previously identified flaws found in Bluetooth were primarily at the protocol level", Armis claimed.

✯ Disable Bluetooth unless you need to use it, but then turn it off immediately. Samsung has yet to respond, according to Armis Labs. Airborne attacks that can bypass traditional security and even air-gapped internal networks can also endanger industrial systems, government agencies, and critical infrastructure.

As per Nadir Izrael, co-founder of Armis, "Just by having Bluetooth on, we can get malicious code on your device". This makes BlueBorne one of the most broad potential attacks in recent years, while allowing attackers to strike undetected.

These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date.

"In some areas the Bluetooth specifications leave too much room for interpretation, causing fragmented methods of implementation in the various platforms, making each of them more likely to contain a vulnerability of its own", the company said.

The security firm also said that BlueBorne is based on the vulnerabilities found in the various implementations, and it's anxious that other vulnerabilities may exist on other Bluetooth-connected platforms that it hasn't yet tested.

U.S. updates self-driving vehicle guidelines
But critics said the guidelines don't ensure self-driving technology is safe before going out on the road. Regulators and lawmakers have been struggling to keep up with the pace of self-driving technology.

Linux devices running BlueZ are affected by the information leak flaw and those from version 3.3-rc1, released in October 2011, are affected by the remote code execution flaw. An attacker doesn't even need to pair a device with a target system in order to exploit this vulnerability. Malware exploiting the attack vector may be particularly virulent by passing peer-to-peer and jumping laterally, infecting adjacent devices when Bluetooth is switched on, said the researchers.

"The automatic connectivity of Bluetooth, combined with the fact that almost all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive", researchers said.

In this demo, Armis Labs will demonstrate BlueBorne, and how a hacker can create a "Bluetooth Pineapple" to create a Man in the Middle (MiTM) attack. This type of attack can often be configured to force those systems to reveal the encryption keys being used by Bluetooth, access systems or monitor data being sent between devices.

While the total number of potentially-at-risk devices is astounding, there has seemingly been no known cases of hackers using the technique to exploit Bluetooth in the wild.

Apple fixed its share of the vulnerabilities in iOS 10, which 89 percent of all users are using as of early September. However, the company still warns users who are on older versions of iOS that they're at risk.

"Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air".

Armis also called for more attention on implementing secure Bluetooth protocols in the future, as the impact of any newly found threat could be quite significant, considering that billions of devices make use of the technology.

The researchers have reported the flaws to the affected vendors, but acknowledged that many Android devices will not be patched.

Related Articles