If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
By Daisy Luther
In case you don’t have enough to worry about with hackers getting into our power grids, cyber attacks taking down entire countries, and epic natural disasters, a newly discovered Bluetooth flaw makes nearly all devices that are connected subject to hackers.
Tech Republic reports:
BlueBorne is an attack vector that could affect billions of devices. If you’re running IoS, Android, Windows, and even Linux, your devices could be at risk.
Using BlueBorne, hackers can attack Bluetooth-connected devices over the air, without the device even being paired to the attacker’s device, the post said. Once successfully penetrated, the attacker gains full control over the victim’s device.
So far, Armis Labs has identified eight zero-day vulnerabilities associated with BlueBorne. However, as noted in the post, the firm believes there could be “many more” vulnerabilities waiting to be discovered. BlueBorne can conduct remote code execution and Man-in-The-Middle attacks, for example…
Because BlueBorne is airborne, and can spread from device to device, it is considered “highly infectious” by the researchers. It’s airborne nature also means that it is often targeting the weakest spot in the defense strategy for most modern networks…
The method through which BlueBorne spreads allows it to infect air-gapped networks as well, which was a major concern for the researchers. Additionally, it takes minimal effort on behalf of the attacker, requires no victim interaction, and can remain undetected in many systems…(source)
This makes all of your connected devices vulnerable to cyber espionage, data theft, and ransomware. If your passwords are saved for your bank or credit accounts, you can be easily hacked due to this vulnerability. Anything on your devices is under the control of the hackers.
The report by Armis Security calls this a “comprehensive and severe threat.”
The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active. Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected. (source)
These devices have the potential to be hacked with the Bluetooth flaw
Armis warns that the following devices could be hacked with BlueBorne. And warning, it’s nearly every device out there.
AndroidAll Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).Examples of impacted devices:
Google Pixel Samsung Galaxy Samsung Galaxy Tab LG Watch Sport Pumpkin Car Audio SystemGoogle has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin on September 4, 2017. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level,Note to Android users: To check if your device is at risk or is the devices around you are at risk, download the Armis BlueBorne Scanner App on Google Play.
Windows
All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628).Microsoft issued has security patches to all supported Windows versions on July 11, 2017, with coordinated notification on Tuesday, September 12. We recommend that Windows users should check with the Microsoft release at here for the latest information.
Linux
Linux is the underlying operating system for a wide range of devices. The most commercial, and consumer-oriented platform based on Linux is the Tizen OS.
All Linux devices running BlueZ are affected by the information leak vulnerability (CVE-2017-1000250). All Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (CVE-2017-1000251).Examples of impacted devices:
Samsung Gear S3 (Smartwatch) Samsung Smart TVs Samsung Family Hub (Smart refrigerator)Information on Linux updates will be provided as soon as they are live.iOS
All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.If you are concerned that your device may not be patched, we recommend disabling Bluetooth, and minimizing its use until you can confirm a patch is issued and installed on your device. (source)
How can you protect yourself?
One of the primary uses of Bluetooth is for cell phone users so that they can talk hands-free while driving. Keep in mind the contagious nature of this attack vector. If they can hack your phone, they can hack your car, and we all suspected that this has been a tool for high-tech murder in the past. This takes the death of journalist Michael Hastings from some high-tech sci-fi conspiracy theory to a task within the ability of any moderately skilled hacker who has his hands on Blueborne.
As well, devices that sync with your computer, like fitness watches, also use Bluetooth technology. You should disable your Bluetooth until this is resolved.
Quite scary. But I thought that this has been around for years?
Some hackers actually used wireless technology to hack a Jeep Cherokee and controlled its speakers, screens and even stopped the accelerator from working. I don’t have the link, but look up ‘hackers take control of Jeep Cherokee’ and you should find it.
So, this isn’t really new when it comes to hacking through Bluetooth. So beware of unscrupulous hackers.
I didn’t see a mention of automotive vulnerabilities… perhaps I missed it.
Because notable journalists and others have been murdered via exploitation of the bluetooth capability built into many modern automobiles, I’ll mention it here.
IF your vehicle has bluetooth capability – even if you’ve never used it – you are vulnerable to having your ride infected with this malware merely by driving on any road where another vehicle is also driving within 30 feet (further over water, as on a bridge). Vehicular control functions such as acceleration, braking or steering can be manipulated remotely through a hacked bluetooth connection. In other words, you could be murdered. It has already happened at least three times.
Auto manufacturers should be pressured to publish ways that owners of their machines can disable bluetooth reception in a way that is NOT reversible by software (must be a hardware solution). Failing to do so will expose them to class action lawsuits for premeditated murder, a crime for which the corporate veil of immunity can be torn asunder and the guilty parties responsible for the harmful decisions can be sent to prison.
You didn’t miss it. This is an excellent point and it makes perfect sense that vehicles would also be vulnerable to this hack and many others.