Internet of Things (IoT) security research firm Armis has discovered a Bluetooth hack that affects most Bluetooth devices.
Dubbed ‘BlueBorne,’ the virus is capable of spreading through two specific Linux vulnerabilities, four Android vulnerabilities, one Windows vulnerability and one Apple vulnerability.
Dangerous even if not discoverable
Not only do Bluetooth-capable devices not need to be discoverable, targeted devices do not need to be connected to the attacker’s device in order for BlueBorne to spread.
In a paper, Armis researchers Ben Seri and Gregory Vishnepolsky clarified that targeted devices do not need to authorize or authenticate a connection with an attacker’s device. BlueBorne can even penetrate “air-gapped” networks which are not connected to the internet.
Seri and Vishnepolsky explained that “Bluetooth’s complexity” is responsible for the exploit.
“The complications in the specifications translate into multiple pitfall junctions in the various implementations of the Bluetooth standard,” reads an excerpt from Seri and Vishnepolsky’s paper.
According to Armis, most Bluetooth devices only pair or connect when they’re set to be discoverable. However, Bluetooth devices are always listening for traffic, even when they’re not discoverable — a state called ‘page scan mode.’
As a result, all that an attacker needs is a Bluetooth device address in order to initiate a connection.
“Once an attacker acquires it, and is in physical proximity of the device, he or she can reach the surprisingly wide attack surface of its listening Bluetooth services,” reads another excerpt.
Seri and Vishnepolsky explained that it’s normally difficult to determine a Bluetooth device address, but the process is made easier by the use of hardware like Ubertooth, which works “by sniffing the air for Bluetooth packets.”
Armis has already reached out to Google, Microsoft, Apple, Samsung and the Linux kernel security team to inform these groups of the BlueBorne exploit.
As of September 4th, 2017 Google has issued a security patch and notified its partners. Microsoft released a security patch on July 11th, 2017.
As for Apple devices, BlueBorne affects all iPhones, iPads and iPod Touch devices running iOS 9.3.5 and older, as well as Apple TV devices running version 7.2.2 and older.
“This vulnerability was already mitigated by Apple is iOS 10, so no new patch is needed to mitigate it,” said Armis.
Regardless, it’s still advisable to update all devices to the latest firmware.