Over 5 Billion Devices Could Get Hit by This Bluetooth Attack
Attackers can use Bluetooth technology to hack billions of PCs, mobile and smart devices. At least eight flaws were discovered in the Bluetooth short-range wireless protocol that the researchers are collectively calling as "BlueBorne". More than 5.3 billion devices are at risk of this attack that has been identified by a security company.
Bluetooth has become the primary mode of sharing data over short distances. Before Google Photos made photo-album sharing easy and Apple came up with AirDrop, Bluetooth was possibly the only way to share data easily. Even after these (and more such) technologies and services, Bluetooth remains one of the most convenient ways to share whatever data you have with other devices, not forgetting audio and video streaming and other similar uses. With so many uses, the Bluetooth protocol also offers some sweet opportunities to criminal hackers.
Researchers at the security firm Armis have devised an attack that uses the wireless technology to hack Windows, Android, Linux, and several other devices. The exploit allows an attacker within 32 feet to hack a device and doesn't require the target to click on a malicious link or take any action. All that is needed is to turn Bluetooth on.
"Just by having Bluetooth on, we can get malicious code on your device," Nadir Izrael, cofounder of Armis said. "BlueBorne abuses the fact that when Bluetooth is on, all of these devices are always listening for connections." The attack essentially takes advantage of how Bluetooth uses tethering to share data and is able to spread through "improper validation".
BlueBorne - WannaCry of the Bluetooth world?
The attack mechanism has been named "BlueBorne" since it essentially spreads like an epidemic. BlueBorne is highly infectious as it spreads further via the victim devices. Once compromised, the first target device will turn into an offensive device, compromising every available device in its range. The attack follows how the WannaCry ransomware spread earlier this year using NSA's EternalBlue vulnerability.
"We've run through scenarios where you can walk into a bank and it basically starts spreading around everything," Izrael said. Researchers were able to create botnets and install ransomware using Bluetooth, with attacks taking just around 10 seconds.
"Imagine there's a WannaCry on Bluetooth, where attackers can deposit ransomware on the device, and tell it to find other devices on Bluetooth and spread it automatically."
Apple, Google and Microsoft have all released a patch to BlueBorne with Apple confirming that it doesn't affect devices on iOS 10 or later. Armis added that all iOS devices on 9.3.5 or older versions are vulnerable. Microsoft released a patch in July and all Windows users who haven't yet updated to the July patch remain vulnerable.
As for Google, the company said that its Android partners received the patch in early August with the company sending the patch to its devices with the September security patch. It's unclear which of its carrier partners have so far released the patch but Pixel and Nexus devices have been updated. Armis added that over 180 million Android devices will never see this patch since they are no longer supported.
Apart from these, Linux-based devices, Samsung TVs, and some drone models are also vulnerable to this attack. It isn't immediately clear how many of these estimated 5 billion devices will receive a patch but Armis Labs believes that 40 percent are not going to be patched. That's over 2 billion devices that will be left vulnerable to BlueBorne attacks.