Yesterday, researchers at Armis announced that they had found a series of vulnerabilities in Bluetooth that can allow an attacker to take over a device in seconds, with no interaction from the user end. They have dubbed this new attack "BlueBorne."

Bluetooth is a short range wireless protocol most commonly used to send things like audio and pictures between devices, such as between your phone and your car, and between your computer and wireless speakers or headphones. It is also used to connect mobile devices together, for example, syncing smart watches and activity trackers with a phone. Because of its versatility and low power usage, Bluetooth is in many of the devices that we use in our work and everyday lives.

BlueBorne only requires that a target device's Bluetooth be enabled for the attack to take place and to carry out remote code-execution attacks. In example demonstrations provided by Armis they demonstrate capturing the audio from the microphone on a smart watch, taking control of a smartphone, taking a picture with the camera and transmitting it to the attacker, and directing users to malicious web pages on a Windows computer.

Thankfully, Microsoft released Windows security updates in July that prevent the attack on Windows devices and Apple iOS devices (iPhones, iPads, etc.) running on iOS 10 and above are not vulnerable. Android phones and Linux devices (including things like smart-TVs and some smart-watches) are currently vulnerable. Google recently released Android security patches, however they must go through each device manufacturer (such as Motorola and Samsung) before reaching the public.

In addition to security patches, the attack is limited to Bluetooth's range (typically up to about 32 feet, or 10 meters). While devices like smart-TVs could be vulnerable, the attacker would likely need to be in your home to execute the attack. While most newer cars have Bluetooth, attacks against them would likely be limited by Bluetooth's short range.

What can you do to protect yourself?

1. Make sure your devices are updated.

  • If you use Windows computers, make sure you have the most recent Windows Updates installed. You can run updates by going to Start > Settings (or Control Panel) > Windows Updates.
  • If you use iOS devices make sure that they are on iOS 10 or greater. You can check by going to Settings > General > Software Updates.
  • Security updates should begin showing up for Android phones within the next few weeks, and should be run as soon as they become available. You can manually check for updates by going to Settings > System Updates and selecting "Check for updates".

2. If you have an Android phone or tablet or a Linux computer, turn off the Bluetooth when not in use. On most Android phones you should be able to swipe down from the top to get a quick list of settings, alternatively you can go to Settings > Bluetooth.

3. If you have a Linux-powered smart-watch (or other portable smart device that requires a Bluetooth connection) such as the Samsung Gear S3, evaluate the risk and consider not using it until a security update has been released.

For more detailed information, including demonstration videos, please see Armis's site at https://www.armis.com/blueborne/, or view theĀ BlueBorne Technical White Paper provided by Armis. Reach out to Delap's cybersecurity professionals if you have questions or concerns.