Another hack has been found that will allow an attacker to access your devices without touching them. The hack allows the hacker to identify a device, connect to it via Bluetooth, and then begin controlling the screen and apps. The attack can allow access to computers, phones, and internet connected devices.
Security company Armis Labs found the collection of eight zero-day exploits, collectively called BlueBorne. Zero-day exploits are security flaws that are found before developers have a chance to fix them. In several trials, researchers were able to create botnets and install ransomware using Bluetooth. The company says “the BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.”
The attack is especially dangerous because it can spread without the victim doing anything or noticing it. All hackers need to spread their malware is for their victims’ devices to have Bluetooth turned on. The attack does not require any user interaction, authentication, or pairing, making it practically invisible.
BlueBorne is “highly infectious,” according to Armis Labs. The company says that BlueBorne is “an attack that very much resembles Heartbleed,” an exploit that forced many web servers to display passwords and other keys remotely. It also echoes the way the WannaCry ransomware spread earlier this year. That ransomware infected hundreds of thousands of computers within several hours.
Nearly every connected device out there has Bluetooth capability. Bluetooth signals allow gadgets to connect and communicate wirelessly. An estimated 8.2 billion devices use Bluetooth. Armis Labs says more than 5 billion devices are vulnerable to attacks through the Bluetooth exploits.
In most cases, the problems associated with BlueBorne vectors will be patched by the major players in the electronics space. Windows and iOS phones are already protected from the vulnerability. Microsoft released a patch for its computers in July, and anybody who updated would be protected automatically.
Apple also regularly updates its products for security. Apple confirmed that BlueBorne is not an issue for its mobile operating system, iOS 10, or later. Google users are receiving a patch today. Pixel devices have already received the updates.
Android partners received the patch in early August, but it’s up to the carriers to release the updates. However, devices running older versions of Android could still be vulnerable. Armis noted that of the 2 billion devices using Android, about 180 million are running on versions that will not be patched.