A set of zero-day Bluetooth-related vulnerabilities affecting billions of devices has reared its ugly head. Dubbed BlueBorne, it affects nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs and some automobile audio systems.
Armis, the enterprise IoT security company, found that if exploited, the vulnerabilities could enable an attacker to take over devices, spread malware or establish a man-in-the-middle connection to gain access to critical data and networks without user interaction.
“These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date,” Armis explained, in an alert. “Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device.”
Also, because these are proximity-based network vulnerabilities, they could allow attackers to create broad malware infections that could spread from one infected device to many others by wirelessly connecting to other devices over Bluetooth. The device-to-device connectivity nature of Bluetooth means an airborne (hence "BlueBorne") attack could easily spread without any action required by a user.
"These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," said Yevgeny Dibrov, CEO of Armis. "The research illustrates the types of threats facing us in this new connected age."
The vulnerabilities were found in the Bluetooth implementations in Android, Microsoft, Linux and iOS versions pre-iOS 10. Armis reported the vulnerabilities to Google, Microsoft and the Linux community. Google and Microsoft have released updates addressing the issue, while others are preparing fixes that are in various stages of being released.
The problem is that the average consumer may not know to update their devices.
“The latest vulnerability affecting billions of global Bluetooth devices is a sharp reminder to the importance on keeping devices patched and up-to-date,” Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged account management (PAM) solutions, told Infosecurity. “These serious cyber-security risks should raise the level of importance that everyone should stop and take the time to check the current state of their device software versions and the vulnerabilities they have. Many companies look for unprotected Wi-Fi access points but rarely check for unprotected Bluetooth connections so this means many companies' current security controls will not prevent these vulnerabilities from being exploited.”
Also, the vulnerabilities in BlueBorne are widespread and patches will be coming out for months—so users should disable their Bluetooth until they become available.
"Bluetooth is everywhere, from your laptop to your front-door lock,” said Lamar Bailey, senior director of security research and development at Tripwire, via email. “Bluetooth should be treated like any open port—if you do no need it then turn it off. That may not always be easy with Bluetooth keyboards and mice/trackpads but in situations where non-employees are within 40 feet of systems, like banks at teller windows, it is best to use wired input devices and not reply on Bluetooth.”
The situation is one more reason to put additional emphasis on locking down the internet of things (IoT), according to Jackson Shaw, senior director of product management at One Identity.
"Analyst firm Gartner touts, as do many IoT vendors, that 8.4 billion connected things will be in use in 2017, up 31% from 2016,” he said. “While this statistic is impressive, you pale when you realize that any kind of security breach related to IoT will have massive scale and effect. This is a clear example of that. It is also should be a wake-up call that better vulnerability and penetration testing is a must for all IoT vendors. It’s time for the IoT Cybersecurity Improvements Act of 2017 to be debated and enacted."
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visithttps://www.infosecurity-magazine.com/conferences/infosecurity-north-america/