Billions of smartphones, laptops and Internet-connected devices are vulnerable to BlueBorne, a new attack vector being used by hackers to penetrate and control targeted devices by leveraging Bluetooth connections.
Using BlueBorne, hackers can conduct a range of cyber crimes including remote code execution and Man-in-The-Middle attacks.
Security research firm Armis has, in a detailed research note, revealed the existence of BlueBorne, a new attack vector that is being used by hackers to infect, penetrate and take control over millions of smartphones, laptops and Internet-connected devices.
What is BlueBorne?
BlueBorne allows hackers to stage cyber-attacks by leveraging Bluetooth connections in all kinds of smart devices. An attack can be carried out on a device even if it is not paired to the attacker’s device or is not set on discoverable mode.
BlueBorne travels in the air and infects devices whose Bluetooth connections are turned on that which feature poor security credentials. Once it penetrates a device, it exploits the high privileges that the Bluetooth process enjoys on all operating systems to fully control the device.
Because it uses Bluetooth connections to infiltrate devices, BlueBorne can be used by hackers as a carrier for other malicious software like ransomware, trojans and botnets and can also be used for carrying out cyber espionage and data theft.
Is BlueBorne a worldwide threat?
According to Armis, BlueBorne has the capability to infect every single device in the world that has a Bluetooth connection. This means that devices that are not connected to the Internet but depend on Bluetooth for short-range communications are also vulnerable to the threat.
To put it in numbers, there are more than 2 billion Android, 2 billion Windows, 1 billion Apple and 8 billion connected or IoT devices in use around the world that feature Bluetooth connections. BlueBorne is capable enough to infect any of these devices if their Bluetooth connections are turned on.
‘With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities,’ noted researchers at Armis.
Since it is airborne, BlueBorne is much more contagious and can bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. At the same time, no action is required from a user, like clicking on links or downloading attachments, for an infection to take place.
‘Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected,’ the researchers added.
Who all are affected?
In April, Armis contacted Google, Microsoft, and Samsung to inform them about the threat and to help them release patches to cover the vulnerability. While Samsung didn’t reply to any of Armis’ requests, Google released a public security update and security bulletin on 4th September and Microsoft released security updates on 11th July.
While all Android phones, tablets, and wearables were found to be initially vulnerable to BlueBorne, new patches released by Google will at least secure devices with Nougat and Marshmallow operating systems from the threat.
A vulnerability in all iPhone, iPad and iPod touch devices with iOS 9.3.5 and older versions of the operating system allows hackers to conduct remote code execution using BlueBorne. However, if you upgrade your Apple device to iOS 10, you will be secure from such threats.
How can BlueBorne be contained?
According to Kevin Bocek, Chief Security Strategist at Venafi, BlueBorne’s spread can be contained if every app and website has a unique machine identity. This will prevent BlueBorne from running applications and connect to websites to execute more attacks.
‘Without this – the attacks as demonstrated with BlueBourne – it’s all too easy for hackers to run malicious applications or redirect people to a fake website. BlueBourne shows why it’s so urgent for businesses to ensure that every web, desktop, and mobile application has a unique machine identity so that they can maintain constant visibility and control,’ he adds.
Leigh Anne Galloway, cyber security resilience lead at Positive Technologies, believes that while certain devices can be protected by updating them with security patches, the same cannot be said for millions of dumb gadgets like speakers, keyboards, and mice for which there will never be a fix.
‘Long term, the answer is that if any device can connect to another in any way, it needs to have security built in from the outset or hackers are going to take advantage of it. In the short term, make sure that any devices that can be updated are and, where possible, turn the Bluetooth off of anything not in use,’ he adds.