TECH

Hackers Can Take Over Billions of Android and Linux Devices via Bluetooth

Security researchers have discovered a set of severe vulnerabilities affecting devices that connect via Bluetooth.

The eight security holes—three of which are considered "critical"—allow attackers to take control of Bluetooth-enabled devices, execute code remotely, or intercept traffic between laptops, phones, smart TVs, watches, and other "Internet of things" devices. The vulnerabilities affect unpatched versions of Google Android, Microsoft Windows, Linux operating system, and Apple iOS.

Researchers have dubbed the attack that takes advantage of these code flaws "Blue Borne" because it is airborne and spreads via Bluetooth. The researchers envision a worst-case scenario in which a major ransomware attack, like WannaCry from earlier this year, spreads like wildfire, jumping from phone to phone and "bricking" people's devices.

This attack would not require people to click on links, download malicious files, or "pair" devices to work; it would merely require people to have Bluetooth enabled.

More information on the attack can be found below.

"No security mechanism is there to block incoming Bluetooth connections, so an attacker can bypass all of them completely," says Ben Seri, head of research at Armis Security, the two-year-old cybersecurity startup that found the security holes.

"Imagine WannaCry Blue," adds Michael Parker, Armis' head of marketing.

The researchers say they reported the vulnerabilities to Apple, Google, and Microsoft in April and to Linux in August. They held off on publishing their work in order to coordinate disclosure with the affected companies. (For more on coordinated vulnerability disclosure, read this recent Fortune feature.)

Most of the tech companies and organizations have addressed the issues—although there are exceptions.

Apple said it had already fixed the issue with its release of iOS 10 a year ago; however, people running earlier versions of the software are vulnerable. Microsoft said it released a patch during a regularly scheduled Patch Tuesday in July.

"Customers who have Windows Update enabled and applied the security updates, are protected automatically," a Microsoft (msft, -0.25%) spokesperson tells Fortune. "We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates."

The researchers said they expect Linux, which is an open source project managed by a community of volunteers, to release a fix soon. (The Linux team did not immediately respond to Fortune's inquiry.)

Google represents a trickier situation. The tech giant's Android ecosystem is fragmented across a wide variety of partners, such as phone manufacturers and mobile carriers, who are responsible for distributing patches developed by Google.

"We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe," says Aaron Stein, a Google spokesperson. He notes that Google's proprietary Pixel and Nexus phones would be updated automatically, and that partners—manufacturers like Samsung, HTC, and Sony, as well as wireless carriers like Verizon, AT&T, and T-Mobile—have had the patch for about a month.

Android users who wish to know whether they are vulnerable can download an app Armis developed to provide a check. When patches are available, consumers should update their devices to the latest available operating systems in order to protect themselves from the attacks.

In the interim, people can also disable Bluetooth until the proper patches are available and applied. More information about the Android, Windows, and Linux attacks can be found in the videos below.

Bluetooth is complicated. Too complicated," the researchers write in their whitepaper discussing the attacks. "[A]s the Bluetooth stack is such an immense piece of code, the work we are presenting might be only the tip of the iceberg."

"These silent attacks are invisible to traditional security controls and procedures. Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them," said Yevgeny Dibrov, CEO of Armis, in a statement. Armis' 40-person team is headquartered in Palo Alto, Calif. and Tel Aviv, and has raised $17 million in venture capital from investors such as Sequoia Capital and Tenaya Capital.

The group that oversees Bluetooth technology, called the Bluetooth Special Interest Group, estimates that there are more than 8 billion Bluetooth devices on the market today.

As with any technology, devices running older versions of software tend to have vulnerabilities. It's generally a wise practice to keep the software on your devices up to date.

fortune.com