New 'Airborne' Attack Vector Threatens All Bluetooth Devices

Cyber security company Armis Labs reports about a new attack vector that can be employed by hackers to take full control of devices using Bluetooth. It is called "BlueBorne" as it spreads through the air, exploiting vulnerabilities in the Bluetooth communications protocol of desktop and mobile operating systems including Windows, Linux, iOS, and Android. All of the most popular IT devices that have the Bluetooth technology are put in danger by this new hacking possibility, meaning attackers can penetrate smartphones, IoT devices, and desktop PC, and respectively, access all the data that is stored on them.

Through BlueBorne, attackers can leverage Bluetooth connections to gain control over targeted devices, whereby this type of attack does not require the target device to be connected to the attacker's device. Moreover, the victim's device does not even need to be set on discoverable mode for the attack to be a success. Furthermore, with an airborne attack, the hackers avoid all currently available security tools which protect only Internet connections. Another important point is that no user interaction whatsoever is required to initiate the attack as is the case with most of the traditional malware attacks.

All these qualities of BlueBorne make it superior to other known attack vectors as it could deploy malware on devices that are not connected to any other networks, even Internet. Armis Labs considers the new vector highly dangerous since it exposes Bluetooth devices to all kinds of cyber-attacks, including remote code execution and Man-in-the-Middle attacks. Specifically, BlueBorne can be used for ransomware attacks, cyber espionage, data theft, and even for including the infected mobile and IoT devices into large botnets. Moreover, any malware distributed through BlueBorne would be highly infectious as it will immediately transfer to all adjacent devices that have Bluetooth connectivity.

Since Bluetooth is the most widely spread protocol for short-range communication between devices, the new attack vector could without a doubt cause massive damage. It is estimated that over 8.2 billion devices worldwide currently have the Bluetooth technology, whereby the range of gadgets goes far beyond computers and smartphones – watches, smart TVs, cars, and even medical appliances are in danger too.

Fortunately, most of the vulnerabilities that allow BlueBorne attacks have already been fixed in all operating systems. Armis Labs contacted Google and Microsoft in April this year, while Apple and Linux received the reports in August. For Apple devices, the latest iOS 10 version is safe; Google has also released a security update in September that fixes the issues. Microsoft pushed the updates in July, and Linux vulnerabilities have been patched as well this month. Samsung was contacted on three different occasions in April, May, and June, yet the company has still not responded to the reported issues.