MUMBAI: Armis Labs recently revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them.
The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth.
It has also disclosed that eight related zero-day vulnerabilities, four of which are classified as critical.
BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices.
Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.
Vitaly Kamluk, senior anti-virus expert, Kaspersky Lab, said, "Bluetooth attacks such as a recent set of attack vectors dubbed Blueborne depend on the simple availability of the Bluetooth device as well as close physical proximity. Regardless of the security features on your device, the only way to completely prevent attackers from exploiting your device is to power off your device’s Bluetooth function when you’re not using it — not putting it into an invisible or undetectable mode, but completely turning it off."
Technologies such as Bluetooth were designed with security in mind, however, over-complication of the technology over time leads to inevitable mistakes in the code made by human coders that can be exploited by the attackers, which was demonstrated by the researchers.
The Recent publication of vulnerabilities in Bluetooth stack covers several vulnerabilities for selected platforms, however, the number of undiscovered or unreported vulnerabilities may be much larger, which is why we would like to call the attention of all users of Bluetooth enabled devices.
This shall work as a reminder to limit attack surface on you personally and your organization by reducing the number of services and technologies exposed to strangers from the outer world. This is generally applicable to Bluetooth and other IT services and technologies.