What spreads through the air, is invisible to users, and requires no user interaction— no clicking, no pairing, no downloading, not even turning on discoverable mode— but could bring the hurt to billions of devices? It’s an attack vector dubbed Blueborne.
Researchers revealed eight different bugs that affect the Bluetooth of more than 5.3 billion devices, including Android, Windows, Linux and iOS.
IoT security company Armis warned that all it takes is having Bluetooth on, and within 10 seconds, your device could be pwned from 32 feet away. And it’s wormable, a regular walking worm, meaning one infected device could spread it to others. While that already sound ominous, Armis gave a scenario that included the infection spreading ransomware from Bluetooth-enabled device to device.
The flaws are not in the Bluetooth protocol, but in the stacks — the Bluetooth implementations. The researchers discovered four of the flaws in Android’s Bluetooth stacks, one in Windows, one in iOS and two in Linux. They are not just talking about desktops, laptops and phones; Armis warned that Bluetooth “is used by devices of all kinds, from regular computers and mobile devices to IoT devices such as TVs, watches, cars and even medical appliances.”
Bluetooth devices affected by the Blueborne threat
The vulnerabilities disclosed by Armis affect all devices running on Android, Linux, Windows and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally.