Bluetooth Security Flaws Impacting 'Billions Of Devices' Come With Some Serious Caveats

Leaving your phone or computer's Bluetooth on all the time has never been a good idea, but now researchers at the cybersecurity firm Armis are claiming to have discovered a series of vulnerabilities that allow them to silently hack devices over Bluetooth.

Photo: AP

However, the claims come with some serious caveats -- iPhones running the most recent OS and Windows phones aren't affected, Google is releasing Android patches today, Microsoft issued patches in July, and Linux also has patches available. Further, the hack requires an attacker to chain together several vulnerabilities and have proximity to the device, making it difficult to duplicate in the wild.

Despite the fact that the vulnerabilities are complex and widely patched, Armis researchers estimated that they could still affect 5.3 billion unpatched devices. "It doesn't require the user to make a mistake, or have a device in a discoverable mode. All it requires is a device or a user to have Bluetooth on," Nadir Izrael, CTO of Armis, told Gizmodo.

Armis researchers demonstrated their attack for Gizmodo on a Google Pixel phone, running Android 7.1.2. Although Armis claims that hackers could use the vulnerabilities, which they have nicknamed BlueBorne, to initiate a silent attack undetectable to the user, the attack they demonstrated left visual clues that would let a device's owner know something was wrong.

Ben Seri, one of Armis' researchers, used the vulnerabilities to connect to the Pixel without any input from the device. "Because you can use Bluetooth to connect a mouse or keyboard to an Android device, now I can run it," Seri explained. Seri was able to turn the device on remotely, take photos, and export them back to his computer -- but his cursor wandered the Pixel's screen to issue commands, which would be a giveaway to the phone's owner if they were watching their screen.

However, Izrael claimed sophisticated attackers could take the exploits even further than Armis did, installing malicious apps without any visual signs of compromise. The researchers also told Gizmodo their takeover could spread, virus-like, from one infected device to the next, although they did not demonstrate this claim and leaping between different operating systems would be very complex.

Although you're not likely at risk from BlueBorne, it's a good idea to keep Bluetooth turned off on your device when you're not using it.



    iPhones not affected !

      Up to date iPhones are not affected, anything on 9.3.5 or lower is affected (10+ and you are fine)

    My galaxy note won't connect to a Bluetooth device until i allow it. How do they by pass that part?

      that's part of the vulnerability, it should be able to but they have found an exploit that allows it.

        Oh okay. Thanks for that. I'll be turning off my Bluetooth when I'm not using it then until the update comes through but really, what are the chances.

    Stuff like this is why Android needs to change the way they deliver updates.

    majority android phones (non nexus/pixel) are typically at the mercy of the manufacturing company to update the phones

    Google could put security updates into their own hands and release them separate of features and such.

    IDK, something just needs to change because lazy companies and novice consumers are the reason security flaws like this can be so devastating.

Join the discussion!

Trending Stories Right Now