BlueBorne Shows Vulnerabilities in Bluetooth Devices

The other day, I had a conversation with some people who work in secure areas of their companies and have very limited access to smart devices. One person pointed at my fitness tracker and said, “We aren’t even allowed to wear one of those. The Bluetooth makes it a security risk.”

Bluetooth is one of those technologies that gets ignored when discussing security risks. I don’t know why; I purposely bought my fitness tracker because of those concerns. And oddly, that conversation over the weekend came up just as a Bluetooth attack vector became known (purely coincidence).

According to eSecurity Planet, Armis Labs researchers found this Bluetooth attack vector. Hackers can gain control of various devices and through that, gain access to sensitive data on the network or spread malware:

Notably, the attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. The attack vector, which the researchers are calling BlueBorne, leverages eight zero-day vulnerabilities, four of them critical. It affects mobile, desktop and IoT operating systems, including Android, iOS, Windows and Linux.

Joseph Carson, chief security scientist at Thycotic, pointed out to me in an email comment that BlueBorne is a reminder of how cybercriminals will take advantage of any vulnerabilities they can find, in this case, it happens to be access to a Bluetooth-enabled device and even more, use that device to literally move across the network and steal sensitive information. He added:

Many companies look for unprotected Wi-Fi access points but rarely check for unprotected Bluetooth connections so this means many companies’ current security controls will not prevent these vulnerabilities from being exploited.  Many experts have recommended people to disable Bluetooth on their devices. However, this is very unlikely to happen since it would mean many wearables like fitness trackers, Bluetooth headsets and smart watches would not be useable since they rely heavily on Bluetooth pairing.

However, we shouldn’t blow this out of proportion, Mike Weber, vice president, Labs of Coalfire, told me via email. Yes, BlueBorne could potentially affect a large percentage of the estimated 8.2 billion Bluetooth-enabled devices and we need to take this seriously. But:

there are patches available for most of the common operating systems used in these types of devices. While the research discusses the possibility of worm-style attacks being possible in the wild, there are no currently known instances of this actually occurring and the difficulty level of writing a single worm to impact all devices would be high. Finally, this vulnerability can only be used against devices within the effective Bluetooth range of the attacker (which is 33 feet on average in mobile phones and headsets, and 328 feet on average in laptops and desktops).

It’s a serious matter, and one that needs our attention globally, Dan Lohrmann, chief security officer at Security Mentor, told me, and I agree with him. If nothing else, we all need to pay better attention to the security risks involving Bluetooth, just like those friends of mine who work in secure areas.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba