Billions of Bluetooth-enabled devices may be exposed to a new remote attack called “BlueBorne”, even without user interaction or pairing. Affected systems include Windows, iOS (older than iOS 10), the Linux kernel, and Android. What should you do about it?
Bluetooth is ubiquitous, commonly connecting accessories like headsets and keyboards, but is also used throughout the brave new Internet of Things (IoT) world. An attacker exploiting these BlueBorne vulnerabilities can mount a man-in-the-middle attack, or even take control of a device without the user even noticing it.
The vulnerabilities were discovered by a security company called Armis earlier this year. Researchers reached out to the companies responsible for vulnerable implementations that lead to the coordinated disclosure (and patches) on September 12. (You can read more about our views on responsible disclosure and collaborative security in Olaf Kolkman’s blog post here.)
This case once again highlights how crucial it is that software update mechanisms are available to fix vulnerabilities, update configuration settings, and add new functionality to devices. There are challenges, both technological and economic, in having update capabilities ubiquitously deployed, as discussed in the recently published Report from the Internet of Things Software Update (IoTSU) Workshop 2016.
Vulnerabilities are discovered and patches are developed, but how many devices remain unpatched providing a toxic asset affecting security, user privacy, and the overall security of the ecosystem?
What You Can Do
- Make sure your software is always up to date. Patches for the BlueBorne vulnerability are available in the latest releases of Windows (see Microsoft bulletin), iOS, the Linux kernel, and Android (see September 2017 security bulletin). Unfortunately, this process is often under the control of the device manufacturer and patching may be delayed for various reasons. If a patch is not yet available, inquire about when an update will be offered.
- Disable Bluetooth if it is not essential that you use it, at least until your software is patched.