0
(Image: ZDNet/CBS Interactive)
A set of vulnerabilities affecting “almost every” Bluetooth-connected desktop, mobile, and smart device on the market has been revealed.
Eight separate flaws, known collectively as “BlueBorne” by researchers at security firm Armis, affect devices with the Bluetooth short-range wireless protocol.
The more serious flaws allow an attacker to gain control of affected devices and their data, and steal sensitive business data from corporate networks. Malware exploiting the attack vector may be particularly virulent by passing peer-to-peer and jumping laterally, infecting adjacent devices when Bluetooth is switched on, said the researchers.
A single infected device moving through a busy office past dozens of people with phones, tablets, or computers with Bluetooth switched on could cause a rapid infection across networks — leading to network infiltration, ransomware attacks, or data theft.
Armis, which has a commercial stake in the IoT security space, warned that the attack vector can be exploited silently. And, though the attacks require close proximity to a vulnerable device, no interaction with a victim is needed, said the researchers.
Read more: Senators introduce bill to secure Internet of Things devices | After massive cyberattack, shoddy smart device security comes back to haunt | Homeland Security warns of ‘BrickerBot’ malware that destroys unsecured internet-connected devices | Travel routers are a hot mess of security flaws | Exposed IoT servers let hackers unlock prison cells, modify pacemakers
Exploiting the flaws relies on bypassing various authentication methods to take over a device. In other cases, the vulnerabilities can be used to intercept traffic between affected devices. To launch an attack, malware can connect to a target device and remotely execute code on the phone, tablet, computer, or smart device, which lets the malware spread further to other devices.
“These silent attacks are invisible to traditional security controls and procedures,” said Yevgeny Dibrov, Armis’ chief executive. “Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them.”
The “undetectable” flaws, said researchers, put the majority of devices around the world at risk — at least 5.3 billion devices — including Windows, Android, Linux, and Apple devices.
It’s thought to be the most widescale set of vulnerabilities based on the number of devices affected.
While the vulnerabilities vary by severity and platform, the worst affected are Android devices, and older iPhones and iPads.
0