Nearly 8.2 billion devices are at risk, globally, from remote attack vectors like device take over and man-in-the-middle (MITM), et al. According to researchers from Armis Labs, the Bluetooth vulnerability is on all devices running iOS, Windows, Android, and even Linux processors. Dubbed as BlueBorne, “as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released,” suggests a statement released from Armis Labs.
The attack works similar to the recently discovered Broadcom Wi-Fi chip by Project Zero and Exodus giving attackers complete access and controls from the beginning. But unlike WiFi, Bluetooth offers a wider attacker surface and thus, contains a lot more vulnerabilities.
What’s worse is that the attack doesn’t require targeted devices to be paired, or even be discoverable. The attack vector subterfuges as a Bluetooth device and exploits weaknesses in the protocol to deploy malicious code. “The BlueBorne attack vector requires no user interaction, is compatible with all software versions, and does not require any preconditions or configurations aside of the Bluetooth is active. Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the broadest potential attacks found in recent years, and allows an attacker to strike completely undetected.”
iPhones devices running iOS 10 are immune to the attack vector. Microsoft released a patch to fix the bug for all the computers since Windows Vista which was vulnerable to “Bluetooth Pineapple”. Android devices prior to Kit Kat are still vulnerable. Google has issued a patch for Nougat and Marshmallow and has notified its partners.
“Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections,” stated Armis Labs. “New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited.”