A Palo Alto based Internet of Things (IoT) security company Armis has discovered critical vulnerabilities in Bluetooth that if exploited can allow attackers to carry out remote attacks on millions of Android, iOS, Linux and Windows devices with Bluetooth enabled.
Dubbed “BlueBorne” by researchers, the attack can be successfully carried out without any user interaction. That means any device with Bluetooth enabled can be infected without needing the user to click on a malicious link or visit a compromised website. All an attacker needs is to stay close or at least 32 feet away from the targeted device and rest is history.
“BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode,” said the security firm Armis.
BlueBorne is similar to Broadcom Wi-Fi attack that was discovered earlier this year in April and July. The attack allowed an attacker to carry remote attacks against almost all iPhones and Android
So far, the researchers have found eight zero-day vulnerabilities and believe there will be more to come. Currently, estimated 8 billion devices are using the Bluetooth feature while BlueBorne could target more than 5 million devices.
The good news is that Microsoft has already patched the vulnerability without announcing it back in July. But, Windows users should make sure their devices are up to date in order receive security patches.
According to a Microsoft spokesperson “Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”
Another good news is those iPhone devices running on iOS 10 are safe from this attack while Google issued a security patch a month ago to secure Android users however it might take some time for every Android user to get the patch on their device since it all depends on the manufacturers. Linux, on the other hand, is expected to issue a patch soon.
Watch all the attack demonstrations here
Meanwhile, users are advised to avoid using Bluetooth in public, enable automatic updates and install the patch whenever it arrives. Remember, this BlueBorne attack is not a piece of cake to be carried by an average hacker, but security should be your first preference.