According to a white paper by mobile security firm Armis Labs, the “BlueBorne” attack can still threaten devices that support Bluetooth connectivity, including smartphones, tablets, laptops and various IoT devices. While the security flaw was uncovered in the past, many devices are still in danger, the report says.
The BlueBorne vulnerability is different in that it requires no user actions – once a device’s Bluetooth is turned on, it gives hackers the opportunity. Because Bluetooth-enabled devices are constantly in search for connection, the attack can occur without pairing.
Attacking the flaw requires bypassing various authentication to take over a device. Once an attacker takes control over an affected device, it is possible for him to launch ransomware attacks or to steal user data.
The flaw isn’t in the Bluetooth standard, but in its implementation in all kinds of software. This undetectable flaw put at least 5.3 billion devices in danger, including Windows, Android, iOS and Linux devices, according to researchers of Armis Labs.
The flaw was partly caused by device makers who tried to implement complex Bluetooth protocol across devices, resulting in weak spots.
“In some areas the Bluetooth specifications leave too much room for interpretation, causing fragmented methods of implementation in the various platforms, making each of them more likely to contain a vulnerability of its own,” Armis Labs said. “This is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years.”
Devices using the latest iOS 10 won’t be affected by BlueBorne. Microsoft has also patched the flaw in Windows this July. Google is working on distributing its patch, which puts Android the most vulnerable mobile system.
Billions of Bluetooth-equipped IoT devices like smart TVs, speakers and smart light bulbs can also be affected by BlueBorne. Many of these devices are built on Linux, which is still working on its patch.
With devices that haven’t had a patch for BlueBorne, the best solution is to turn Bluetooth off while not using it.