Dubbed BlueBorne by the Armis Security researchers who found it, the attack is one of the most serious issues to affect Bluetooth. The ubiquitous technology has traditionally been used to connect mobile devices to accessories like speakers and keyboards. Increasingly, it’s seeing use as a crucial component of the Internet of Things, linking together hundreds of low-power connected devices.
BlueBorne is so serious because it has an unusually high reach. The researchers estimate that over 8.2 billion Bluetooth devices could be attacked. The vulnerability is easy to exploit. An attacker doesn’t need to craft special links, create email scams or hijack your Internet to distribute malware. They can just wait until you have Bluetooth turned on.
Because Bluetooth’s usually a privileged process in operating systems, a successful attack could break out of its infiltration vector to wreak havoc on your device. There are a few limitations to BlueBorne though, most notably Bluetooth’s limited range. The implementation details are also highly dependent on the victim’s operating system. An attack on a Windows device would look different to one for Linux or an Android smartphone.
Nonetheless, BlueBorne’s severity shouldn’t be underestimated. Armis Security warned “almost every” connected device worldwide stands at risk. This could make the vulnerability an attractive opportunity for cybercriminals. Malware could be distributed to dozens of smartphones by standing in a busy public area and waiting for devices to arrive with Bluetooth turned on.
READ NEXT: GE learns that IoT doesn’t scale as it rethinks digital strategy
“The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active,” said Armis Security.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.”
Armis Security notified significant third parties after it discovered the vulnerability. Google and Microsoft have both already released security patches for their affected products, closing the vulnerability. The Linux kernel maintainers have acknowledged Armis’ report and plan to release an update this week.
Apple replied to the disclosure but said none of its currently maintained devices house the flaw. Armis also reached out to Samsung on three occasions from April to June. Samsung still hasn’t sent a response to the report.
If your device hasn’t received an update yet, the simplest way to protect yourself is to turn Bluetooth off. This won’t be possible if you regularly use Bluetooth devices though, making it imperative device makers release updates in the coming weeks. Still, it can be expected many of the 8 billion Bluetooth devices in the wild will never receive the patch, even though they control products ranging from security cameras to smart thermostats.