New Bluetooth vulnerability can be exploited to silently hack Android phones

Wednesday, 13 Sep, 2017

Conversely, the bad news is that many devices don't get updated, for example, Android devices are notorious for lacking security updates or having to wait a long time to receive them, leaving millions, potentially billions of Android devices at risk. Your phones, laptops, speakers, vehicle entertainment systems - the list goes on and on to even the most mundane gadgets. Although Armis claims that hackers could use the vulnerabilities, which they have nicknamed BlueBorne, to initiate a silent attack undetectable to the user, the attack they demonstrated left visual clues that would let a device's owner know something was wrong. All Android devices, besides those using Bluetooth Low Energy, are affected by BlueBorne - albeit in different ways. With Android, that might be easier said than done though since a lot of that depends on the manufacturers. Smartphones and tablets manufactured by every major phone maker from Apple to Samsung as well as computers and other devices that are likely to house sensitive personal or business information are all Bluetooth-enabled.

Armis researchers have described BlueBorne in a detailed post.

Mr Miller said the BlueBorne infection method was more risky than past attacks, such as the WannaCry ransomware attack.

And BlueBorne may not be the only airborne computer virus, but just the one that has been found.

A cyber security firm, Armis has recently discovered a pool of as many as eight exploits known as BlueBorne.

Armis also called for more attention on implementing secure Bluetooth protocols in the future, as the impact of any newly found threat could be quite significant, considering that billions of devices make use of the technology.

"Imagine there's a WannaCry on Bluetooth, where attackers can deposit ransomware on the device, and tell it to find other devices on Bluetooth and spread it automatically". Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Zero-day vulnerabilities are security flaws that are found before developers have a chance to fix them.

As soon as the hacker gets the access of a particular device, he starts to stream the data from the device in a "man-in-the-middle" attack. It's able to spread through "improper validation", Izrael said. Accordingly, Armis wasn't aware of patches for Linux operating systems, meaning anything running BlueZ are vulnerable to one of the vectors, while those with Linux version 3.3-rc1 can be attacked by another. Others are preparing patches that are in various stages of being released.

Reports indicate Microsoft has issued a patch for the vulnerabilities in its September security updates, Google has issued patches for Android in September and Apple has patched BlueBorne in iOS 10.

Microsoft had already issued updates on 11 July. "In the short term, make sure that any devices that can be updated are and, where possible, turn the Bluetooth off of anything not in use", she concluded. Google, Microsoft and Apple are tech titans that regularly update their products for security.

"The automatic connectivity of Bluetooth, combined with the fact that almost all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive", researchers said.