Security flaws put billions of Bluetooth phones, devices at risk

It's thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.
Written by Zack Whittaker, Contributor

(Image: ZDNet/CBS Interactive)

A set of vulnerabilities affecting "almost every" Bluetooth-connected desktop, mobile, and smart device on the market has been revealed.

Eight separate flaws, known collectively as "BlueBorne" by researchers at security firm Armis, affect devices with the Bluetooth short-range wireless protocol.

The more serious flaws allow an attacker to gain control of affected devices and their data, and steal sensitive business data from corporate networks. Malware exploiting the attack vector may be particularly virulent by passing peer-to-peer and jumping laterally, infecting adjacent devices when Bluetooth is switched on, said the researchers.

A single infected device moving through a busy office past dozens of people with phones, tablets, or computers with Bluetooth switched on could cause a rapid infection across networks -- leading to network infiltration, ransomware attacks, or data theft.

Armis, which has a commercial stake in the IoT security space, warned that the attack vector can be exploited silently. And, though the attacks require close proximity to a vulnerable device, no interaction with a victim is needed, said the researchers.

Read more: Senators introduce bill to secure Internet of Things devices | After massive cyberattack, shoddy smart device security comes back to haunt | Homeland Security warns of 'BrickerBot' malware that destroys unsecured internet-connected devices | Travel routers are a hot mess of security flaws | Exposed IoT servers let hackers unlock prison cells, modify pacemakers

Exploiting the flaws relies on bypassing various authentication methods to take over a device. In other cases, the vulnerabilities can be used to intercept traffic between affected devices. To launch an attack, malware can connect to a target device and remotely execute code on the phone, tablet, computer, or smart device, which lets the malware spread further to other devices.

"These silent attacks are invisible to traditional security controls and procedures," said Yevgeny Dibrov, Armis' chief executive. "Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them."

The "undetectable" flaws, said researchers, put the majority of devices around the world at risk -- at least 5.3 billion devices -- including Windows, Android, Linux, and Apple devices.

It's thought to be the most widescale set of vulnerabilities based on the number of devices affected.

While the vulnerabilities vary by severity and platform, the worst affected are Android devices, and older iPhones and iPads.

The majority of Android phones, tablets, and wearables -- except devices only with Bluetooth Low Energy -- are vulnerable to two memory corruption-based remote code execution flaws, an information leak bug, and a data intercepting man-in-the-middle attack.

Several popular phones, including Google's Pixel and Samsung Galaxy devices are vulnerable. ZDNet's own testing, using Armis' app to check local and nearby Android devices for the vulnerabilities, shows several BlackBerry phones are at risk, as well as other Android devices.

Apple fixed its share of the vulnerabilities in iOS 10, which 89 percent of all users are using as of early September. But that still puts millions of older iPhone 4s handsets that are ineligible for the latest update devices, as well as all other devices running iOS 9.5.3 and lower, at risk.

Windows machines with Bluetooth are also at risk of a vulnerability that lets an attacker invisibly intercepting or rerouting wireless traffic by creating a malicious networking interface on the device.

Several Linux-based devices and machines dating back to late-2011 are also at risk of complete remote takeover, including Tizen devices -- notably Samsung's Gear S3 smart watch, several Samsung televisions, and a handful of drone models. (Armis said that the electronics giant was contacted several times but did not respond. When reached, a Samsung spokesperson did not provide comment.)

Armis has also released a detailed technical whitepaper on the flaws.

For the regular consumer, there's good news and bad news.

Several companies, including software and device makers, were notified of the vulnerabilities in April and have since rolled out patches. The majority of newer phones, tablets, and some computers have already been fixed.

But many older devices will not be patched.

Google is patching Android 4.4.4 KitKat and later, leaving fewer than one-in-ten older Android devices without the patches. A Google spokesperson said the company "will continue working with other affected platforms across the industry to develop protections that help keep users safe."

Microsoft said in an emailed statement that it patched its Windows-focused vulnerability back in July, but "withheld disclosure until other vendors could develop and release updates." Windows Phones are not affected.

Those who are affected but can't get patches are advised to leave Bluetooth switched off.

"The vulnerabilities described above, and the related exploitation techniques are not very complex," said the researchers in the technical paper.

Part of the blame for these flaws falls on how device makers have implemented the overly complex Bluetooth protocol across devices over the years, which is where many of the weak spots are found.

"In some areas the Bluetooth specifications leave too much room for interpretation, causing fragmented methods of implementation in the various platforms, making each of them more likely to contain a vulnerability of its own," the company said. "This is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years."

"The research illustrates the types of threats facing us in this new connected age," said Dibrov.

Editorial standards