Cybersecurity researchers have discovered flaws in Bluetooth that could allow cybercriminals to carry out attacks on millions of Android, iOS, Linux and Windows smartphones.
Dubbed BlueBorne by Armis, the American security firm who discovered it, they warned: “Nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs, and even some automobile audio systems, are vulnerable to this attack”.
Armis quickly reported the vulnerabilities to Google, Microsoft and Linux. Each responded by issuing updates and patches.
A spokesperson for Microsoft said: “We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”
How does it work?
While there have been many Bluetooth flaws discovered in the past, BlueBorne represents a new type of attack.
Known as a ‘proximity-based network vulnerability’ it means a hacker need only be within range of the device, roughly 33 feet, and then start scanning for flaws.
David Dufour from security firm Webroot remarked: “For attackers it’s Candy Land. You sit with a computer with a Bluetooth-enabled radio, just scanning for devices saying, ‘Hey anybody out there?’.
“Then you start prodding those devices to look for things like the operating system and the Bluetooth version. It’s a hop, skip and a jump to start doing bad stuff.”
And the hack is quick. We’re talking within 10 seconds.
Looking at the man in the middle
Once infected, Armis say the vulnerabilities “could enable an attacker to take over devices, spread malware, or establish a “man-in-the-middle” to gain access to critical data and networks without user interaction.”
What’s more, said Armis CEO Yevgeny Dibrov: “These silent attacks are invisible to traditional security controls and procedures.
“Companies don’t monitor these types of device-to-device connections, so they can’t see these attacks or stop them.”
Flaws like BlueBorne have highlighted the crucial importance of Bluetooth security in the never-ending battle against cybercriminals.
Patches and updates are critical in improving those defences but you don’t control when your device gets patched and in the meantime, you’re unlikely to stop using Bluetooth.
How to stop it
Cybersecurity researchers suggest that when not in use it is good practice to turn Bluetooth off. This minimises the vulnerability of your device.
Also useful is to enable automatic updates and install patches whenever they are available.
But, your security is often a matter of weighing risk against reward. Security versus convenience.
As David Dufour said: “With security everything is kind of flavor of the week. So, this week it’s Bluetooth.”
MAIN IMAGE: Mat_the_W/Flickr