Published: Wed, September 13, 2017
Science | By Cecil Little

Bluetooth flaws put billions of devices at risk

Bluetooth flaws put billions of devices at risk

For example, a delivery person dropping a package at a bank could carry weaponized code on a BlueTooth-enabled device.

Bluetooth security risks are not a new thing, though most past attacks have involved misconfiguration or the lack of PIN authentication to secure a Bluetooth connection.

Another remote code execution vulnerability that is similar to the previous one and can be triggered without user interaction and can allow the attacker to take full control of the device. Current Apple operating systems are not vulnerable to the attack, but older iOS systems are. According to Armis Labs, BlueBorne can easily affect PCs and mobile phones since there is no need to pair the device with the targeted device. Such self-replicating exploits could quickly take over huge numbers of devices at conferences, sporting events, or in work places.

"Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically", Microsoft stated. While the underlying vulnerability exists in some form across most Android and Linux devices, the specific exploit varies from system to system, making it hard to write a single virus that would be able to target every vulnerable device. It's also highly infectious and can spread malware to nearby devices.

Adding to the increasing potential for attack is the fact that just about every electronic device includes support for Bluetooth connectivity.

North Korea slams United Nations sanctions
Previous UN resolutions have been negotiated between the United States and China, and have taken weeks or months. So the 2 million barrel cap could be cutting existing imports 10 per cent, or slashing them by more than half.


A video posted by Armis demonstrates how a Google Pixel can be compromised.

Apple fixed its share of the vulnerabilities in iOS 10, which 89 percent of all users are using as of early September.

Linux kernels since 3.3-rc1 are affected and so are all Linux devices running the BlueZ stack.

In the interim, people can also disable Bluetooth until the proper patches are available and applied.

Several Linux-based devices and machines dating back to late-2011 are also at risk of complete remote takeover, including Tizen devices, Samsung's Gear S3 smart watch, several Samsung televisions, and a handful of drone models.

Bitcoin dropped as soon as Jamie Dimon called its traders "stupid"
CBOE has applied with USA regulators to launch a bitcoin futures contract and a bitcoin exchange traded fund on its venues. The bank chief said he wouldn't short bitcoin because there's no telling how high it will go before it collapses.


As for Google, the company said that its Android partners received the patch in early August. Windows Phones are not affected.

Armis said that it first reported the vulnerabilities to Google, Microsoft and Linux in April and patches have now been released as part of vendors' regular scheduled updates.

Part of the blame for these flaws falls on how device makers have implemented the overly complex Bluetooth protocol across devices over the years, which is where numerous weak spots are found.

Armis said that it's seen two main issues with how platform vendors have implemented the Bluetooth protocol: Either the platform vendors followed the implementation guidelines word for word, which has led to the same Bluetooth bug to exist on both Android and Windows, or in some areas, the Bluetooth specifications have left too much room for interpretation, which opened the possibility for multiple bugs to exist in various implementations.

"The research illustrates the types of threats facing us in this new connected age", said Dibrov. The technology has found a serious following in recent years with the advent of mobile devices.

Should Manchester City Go Back In For Alexis Sanchez In January?
While a move to City can guarantee Champions League football, Sanchez will have to fight tooth and nail to get regular starts. Sanchez returned to Arsenal action over the weekend, playing the final 15 minutes in their 3-0 home win over Bournemouth .


Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755-8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Like this: