More than 5.3 billion devices with Bluetooth signals are at risk of a malware attack newly identified by an internet of things security company.
If you’re not keeping count, that’s most of the estimated 8.2 billion devices that use Bluetooth, which allows for our gadgets to connect and communicate wirelessly.
A set of vulnerabilities affecting “almost every” Bluetooth-connected desktop, mobile, and smart device on the market has been revealed. Your phones, laptops, speakers, auto entertainment systems – the list goes on and on to even the most mundane gadgets.
Although Armis claims that hackers could use the vulnerabilities, which they’ve nicknamed BlueBorne, to initiate a silent attack undetectable to the user, the attack they demonstrated left visual clues that would let a device’s owner know something was wrong.
In a lot of cases, malware depends on people clicking on a link they shouldn’t have, or downloading a virus in disguise.
“I hope our efforts with BlueBorne help other researchers examining Bluetooth implementations to see what potential issues need to be looked at”, Seri said. By scattering over the airwaves, BlueBorne is “highly infectious”, Armis Labs said. The attack follows how WannaCry ransomware spread earlier this year using NSA’s EternalBlue vulnerability.
Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company’s network or even across the world.
“What we found are vulnerabilities in the Bluetooth stacks and they flaws don’t rely on authentication or PIN code misuse”, Ben Seri, head of research at Armis told eWEEK.
Researchers have dubbed the attack that takes advantage of these code flaws “Blue Borne” because it is airborne and spreads via Bluetooth.
Bluetooth has become the primary mode of sharing data over short distances. It’s able to spread through “improper validation”, Izrael said.
Android and Windows systems are vulnerable to man in the middle attacks (MITM), where an attacker intercepts communications between devices by secretly acting as a relay station between the two.
Several companies, including software and device makers, were notified of the vulnerabilities in April and have since rolled out patches. While the underlying vulnerability exists in some form across most Android and Linux devices, the specific exploit varies from system to system, making it hard to write a single virus that would be able to target every vulnerable device.
However, the claims come with some serious caveats-iPhones running the most recent OS and Windows phones aren’t affected, Google is releasing Android patches today, Microsoft issued patches in July, and Linux also has patches available.
Several popular phones, including Google’s Pixel and Samsung Galaxy devices are vulnerable.
The concern is the multitude of devices that will not be getting updates.
“Customers who have Windows Update enabled and applied the security updates, are protected automatically”, a Microsoft (msft) spokesperson tells Fortune. But updates might not be as frequent for single-purpose smart devices like your smart refrigerator or a connected television.
BlueBorne vulnerabilities are tracked under the following identifiers: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785 for Android devices; CVE-2017-1000251 and CVE-2017-1000250 for Linux; and CVE-2017-8628 on Windows.
“We’re looking at a forever-day scenario for many of these devices”, Parker said.