Billions of devices are now potentially at risk of being hijacked after security experts uncovered a large-scale Bluetooth malware attack.
Right now, around 5.3 billion devices sporting Bluetooth technology are considered potential targets of a so called Bluetooth malware attack according to researchers at Armis Labs. The figure was just a part of the 8.2 billion devices which use Bluetooth signals.
Technically, almost all devices today, from the smallest wearable to the biggest home appliances have Bluetooth capability which enable them to connect and communicate with other devices wirelessly. You name it: laptops, smartwatches, smartphones, speakers, home entertainment systems–nearly everything today is Bluetooth capable.Bluetooth malware attack uncovered by experts at Armis Labs! Billions of Bluetooth devices feared to be compromised! #BlueBorneClick To Tweet
Because Bluetooth can connect almost all devices today without any hassle, hackers found a way to exploit this capability and use it to carry out a large-scale attack. The attack method, dubbed by experts as BlueBorne, was said to be highly dangerous because it could spread without any action from the victim.
BlueBorne: A Quick Spreading Bluetooth Malware Attack
According to researchers from Armis Labs, an enterprise IoT security company, the hacker’s attack vector uses Bluetooth to infect devices without the knowledge of any individual. It can affect all sorts of devices that run on Windows, Linux, Android, and iOS.
Armis said that they have already informed the said tech giants about the new ‘BlueBorne’ attack, and some of these companies have even rolled out patches for it.
- Google – Contacted on April 19, 2017, after which details were shared. Released public security update and security bulletin on September 4th, 2017. Coordinated disclosure on September 12th, 2017.
- Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
- Apple – Contacted on August 9, 2017. Apple had no vulnerability in its current versions.
- Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach.
- Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.
A statement issued by Microsoft to the Threat Post about the Bluetooth malware attack read:
“Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”
On the other hand, in a white paper published by Armis Labs, the company explained how the attack vector of BlueBorne works. They explained:
“The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly.
The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.”
Threats Posed by the Bluetooth Malware Attack
Further investigation suggests that the BlueBorne attack vector has several qualities that may produce a devastating effect when combined.
“By spreading through the air, BlueBorne targets the weakest spot in the networks’ defense – and the only one that no security measure protects. Spreading from device to device through the air also makes BlueBorne highly infectious. Moreover, since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.
Unfortunately, this set of capabilities is extremely desirable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet. The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure “air-gapped” networks which are disconnected from any other network, including the internet.”
Apparently, an infected device can spread the malware to other nearby devices with the Bluetooth turned on.
“We’ve run through scenarios where you can walk into a bank, and it basically starts spreading around everything,” says Nadir Izrael, CTO at Armis Labs.
Michael Parker, Armis Labs’ marketing vice president, said that the Bluetooth malware attack echoes the way the WannaCry ransomware spread early this year.
“Imagine there’s a WannaCry on Bluetooth, where attackers can deposit ransomware on the device, and tell it to find other devices on Bluetooth and spread it automatically,” Parker said.
According to Apple, BlueBorne would not be a problem for its iOS 10 mobile operating system. However, the company who just recently released its newest smartphone, the iPhone X, confirmed that iOS devices which have 9.3.5 or older versions are vulnerable.
Furthermore, Armis estimates that out of the 2 billion devices using Android today, around 180 million are running on versions that won’t receive any patch. Other devices vulnerable to the Bluetooth malware attack also include single-purpose smart devices like smart televisions and refrigerators which rarely receive updates. Parker said:
“We’re looking at a forever-day scenario for many of these devices.”
Device owners who won’t receive the patch are advised by Armis to turn off and not use their Bluetooth to prevent attacks.