University of Wisconsin–Madison
BlueTooth logo turned into a pair of eyes

“BlueBorne” Exposes Millions of Bluetooth Devices

It turns out that leaving Bluetooth on all the time has just been found to be the equivalent of forgetting your house keys in the door on your way in. Security firm Armis Labs recently revealed the existence of a threat known as BlueBorne that exploits long standing vulnerabilities in Bluetooth on devices running Android, iOS, Windows, Linux, and some older version of Mac OS, leaving them open to attack as readily as walking into an unlocked house.

What is BlueBorne?

“BlueBorne” a collection of 8 Bluetooth 0 day vulnerabilities, half of which are of critical severity, meaning that if your device becomes infected, it could run malware without you having to do so much as click on a risky link.

It potentially affects “millions of unpatched mobile phones, computers, smartwatches and Internet of Things (IoT) devices”, according to United States Computer Emergency Readiness Team (US Cert). A remote attacker could exploit several of these vulnerabilities to take control of affected devices. The scope of this threat is truly sweeping. It affecting Windows, IOS, Linux and Android devices such as phones, tablets and smart watches, as well as smart TVs, Windows PCs, even refrigerators.

How does it work?

An infected device such as a smartphone connects invisibly to vulnerable devices within Bluetooth range. That range will vary from about 1 meter up to 100 meters, but the Bluetooth radios in most phones and mobile devices have a range of 10 meters. Once connected, the infected device could perform a variety of attacks, including infecting the target device with malware, or intercepting and altering data sent to or from it.

How can you protect your devices from BlueBorne?

Update your devices

One of the best ways to protect your devices is actually pretty easy – just keep them updated. The vendors of many affected devices have released or are soon expected to release patches. For example, IOS version 10 included mitigation of this vulnerability. If you’re using an Apple device with IOS 9.3.5 and lower, or an Android device with Android OS lower than version 6, you should update your device as soon as possible, and disable Bluetooth until you do.

What if you can no longer update your device?

One unfortunate aspect of this vulnerability is that older devices that are no longer receiving security updates will remain vulnerable. The good news is that protecting them is also pretty easy; simply disable Bluetooth, or minimize Bluetooth usage, especially when in range of unknown devices.

Related Links

Microsoft Security TechCenter

Android Security Bulletin—September 2017

Sources

The IoT Attack Vector “BlueBorne” Exposes Almost Every Connected Device

Bluetooth Wikipedia article

Security Update Severity Rating System