Billions of devices at risk as new cyber-attack explores Bluetooth vulnerability

Billions of devices at risk as new cyber-attack explores Bluetooth vulnerability

They outlined eight vulnerabilities that can be used to attack the Linux open source kernel and Google's Android operating system, as well as Microsoft Windows and Apple iOS.

"The complications in the specifications translate into multiple pitfall junctions in the various implementations of the Bluetooth standard", the company says in a paper [PDF] describing a set of flaws referred to as BlueBorne. Just as frightening is that it can spread through the air and attack other nearby devices, a trait that has drawn comparisons to the WannaCry ransomware that initially spread like wildfire.

Another remote code execution vulnerability that is similar to the previous one and can be triggered without user interaction and can allow the attacker to take full control of the device.

Attackers can use Bluetooth technology to hack billions of PCs, mobile and smart devices. Unfortunately, it is often enabled by default on too many devices. "The vulnerabilities permeate all the major stacks on devices, and given Bluetooth's popularity we estimate there to be 5.3 billion vulnerable devices". This means an affected device can exploit another device within range (max at 32-feet) as long as its Bluetooth connection is active.

"Spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort".

"The BlueBorne attack vector has several qualities which can have a devastating effect when combined, Aramis said in a blog post". The next step involves the attacker obtaining the target's MAC address, and then they need to probe it to identify the operating system.

Bluetooth security risks are not a new thing, though most past attacks have involved misconfiguration or the lack of PIN authentication to secure a Bluetooth connection.

Armis also said that Bluetooth software offers a larger attack surface than Wi-Fi software does, especially since it's been largely ignored by the security community until now.

"Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with".

While the vulnerabilities vary by severity and platform, the worst affected are Android devices, and older iPhones and iPads.

The eighth flaw is a Remote Code Execution vulnerability in Apple's Low Energy Audio Protocol that now does not yet have a CVE number assigned.

iPhone running on iOS 10 are prone to this attack, Microsoft released a patch to fix the bug in July but the Android devices are the most vulnerable in this regard.

Google has pushed out patches in the September Android update (for Nougat and Marshmallow, i.e v7.0 and 6.0) and provided the patches to its partners in August (but who knowns how soon those partners will ready them for users). All parties agreed to keep the findings confidential until today's coordinated disclosure. It's able to spread through "improper validation", Izrael said. Almost every connected device out there has Bluetooth capability.

The complexity of Bluetooth has "kept researchers from auditing its implementations at the same level of scrutiny that other highly exposed protocols, and outwards-facing interfaces have been treated with", an Armis technical whitepaper (PDF) states. "This is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years".

Nonetheless, some devices will never receive a BlueBorne patch as the devices have reached End-Of-Life and are not being supported. The most significant one allows hackers to intercept all network traffic sent to and from the targeted Windows computer and to modify that data at will.

Artículos relacionados

  • How does it stack up against the Galaxy S8 — IPhone X

    How does it stack up against the Galaxy S8 — IPhone X

    The device runs on a 3000mAh battery, and with the Nougat update, the overall performance of the device has been improved. Furthermore, he has given a time frame to when we can expect to see the Samsung Galaxy foldable smartphone in the market.
    N Korea rejects United Nations  sanctions, warns US

    N Korea rejects United Nations sanctions, warns US

    Security Council voted Monday to impose new sanctions on North Korea in response to the country's latest nuclear test . The unanimously passed resolution will impose the latest in a string of sanctions.
    US calls for Monday vote on new North Korea sanctions

    US calls for Monday vote on new North Korea sanctions

    Additionally, the text proposes five individuals and seven entities for asset freezes and travel bans as well for the individuals. The news also prompted a demonstration by about 400 residents near the Seongju base, about 300 kilometers south of Seoul.
  • JJ Abrams returns to Star Wars to direct Episode IX

    JJ Abrams returns to Star Wars to direct Episode IX

    Abrams is replacing Colin Trevorrow , who left the movie after what has been described as a difference in vision with Lucasfilm . After directing 2009's Star Trek , he returned to the rebooted franchise film series for 2013's sequel Star Trek Into Darkness .
    North Korea rejects UN sanctions resolution, warns US

    North Korea rejects UN sanctions resolution, warns US

    The UN Security Council is due to vote on Monday afternoon, NY time, on a draft proposal of sanctions against the reclusive state. The head of North Atlantic Treaty Organisation this month warned that the world is at its most risky point in a generation.
    Philippe Coutinho trains with Liverpool ahead of Champions League opener

    Philippe Coutinho trains with Liverpool ahead of Champions League opener

    Was it a red card or not? He could have given a yellow. "I think everyone knows [Mané] didn't see the goalie. Football pundit and Liverpool legend Jamie Carragher was not impressed with Can's display.
  • US House to Hold Hearing on N. Korea

    US House to Hold Hearing on N. Korea

    Haley said the USA doesn't take pleasure in strengthening sanctions and reiterated that the US does not want war. The North Korean government has spoken about plans for an attack on USA military facilities in Guam.
    To move North Korea, Team Trump will have to cross China

    To move North Korea, Team Trump will have to cross China

    China uses North Korea as a low-priced alternative to domestic production, where cost have risen dramatically in recent years. Chinese Foreign Ministry spokesman Geng Shuang stressed the need for consensus over North Korea and maintaining peace.

    Samsung: Galaxy Note 8 pre-orders highest among Note series

    OnePlus5 uses dual-camera to blur the background by using depth of field algorithms and achieve 1.6x optical zoom. First, the good news: no iFixit employees left the teardown with burns - or any other injuries, for that matter.
  • Stocks - Apple Shares Reverse as Launch Event Concludes

    Stocks - Apple Shares Reverse as Launch Event Concludes

    The technology is part of the company's new top iPhone, the screen of which covers the entire front of the device with no edges. The high-end iPhone X is the most-important Apple product for years, representing a complete redesign and higher price to boot.
    Edie Windsor, unlikely heroine of same-sex marriage case, dies at 88

    Edie Windsor, unlikely heroine of same-sex marriage case, dies at 88

    Windsor , who was from NY , often said that she fought her battle in memory of her wife Thea Clara Spyer, who died in 2009. She'd asked her friend , "if you know where the lesbians are, please take me", and so her friend took her.
    Call for UN Help to Stop Myanmar Violence

    Call for UN Help to Stop Myanmar Violence

    The UN said there was a sharp increase in arrivals on Wednesday, when at least 300 boats from Myanmar landed in Bangladesh. The humanitarian crisis next door has left Bangladesh scrambling to deal with people that it does not welcome either.