CALIFORNIA, U.S. - In a shocking revelation, California-based IoT security firm Armis has discovered that billions of devices globally are affected by Bluetooth bugs, called BlueBorne.
These bugs can allow an attacker access to your phone without having to even touch the device and Armis has found collection of eight exploits.
Further, the company revealed that the attack can allow access to computers and phones, as well as IoT devices.
More shockingly, it will let a hacker get into your phone in less than ten seconds.
Ralph Echemendia, CEO of Seguru said in a statement, “Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.”
Echemendia added, “BlueBorne affects pretty much every device we use. Turns that Bluetooth into a rotten black one. Don’t be surprised if you have to go see your security dentist on this one.”
A complex vector reportedly allows the hacker to identify a device, connect to it via Bluetooth, and then begin controlling the screen and apps. However, the action would not be completely secretive because in activating the exploits the attacker inevitably “wakes up” the device.
After finding a device to hack, it forces the device to give up information about itself and then, ultimately, release keys and passwords “in an attack that very much resembles heartbleed.”
Heartbleed was an exploit that forced many web servers to display passwords and other keys remotely.
It then sets out code executions that allows for full control of the device.
The researchers explained, “This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, a hacker can trigger a surgical memory corruption, which is easy to exploit and enables him to run code on the device, effectively granting him complete control.”
They added that finally, when the hacker has access they are able to begin streaming data from the device in a “man-in-the-middle” attack.
Adding, “The vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This attack does not require any user interaction, authentication or pairing, making it practically invisible.”
Researchers advised that users should keep all their devices updated regularly and be wary of older devices.
Armis said, “New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited.”