A set of zero-day vulnerabilities affects nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs and some automobile audio systems.
Security company Armis revealed a series of Bluetooth related zero-day vulnerabilities dubbed BlueBorne that could threaten billions of IoT devices. (See video below.)
If exploited, they could allow an attacker to take over a device or create a man-in-the-middle connection to gain access to sensitive data and networks. Because they are proximity-based network vulnerabilities, the firm warns that they could allow attackers to create massive malware infections that could quickly spread from device to device by wirelessly connecting via Bluetooth.
“These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date,” Armis explained, in an alert. “Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device. These silent attacks are invisible to traditional security controls and procedures. Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them,” said Yevgeny Dibrov, CEO of Armis. “The research illustrates the types of threats facing us in this new connected age.”
According to the company, the vulnerabilities were found in Bluetooth devices running Android, Microsoft, Linux and pre-iOS 10 software. They reported the issue, and Google and Microsoft promptly released updates addressing it, while the others are dragging their feet on doing the same. The updates may not be of much use though; the company says many consumers don’t know how to apply them. Armis is recommending that users disable Bluetooth on their devices until they learn how or until updates become available for their device.