Modern technology has brought thousands of conveniences to almost every aspect of our daily lives…and, it sometimes seems, nearly as many brand-new headaches to go along with them. And some of those headaches can be downright dangerous.
CBS News reports that according to the “internet of things” (that means a wide range of devices and appliances wirelessly connected to each other) security company Armis Labs, there is a new malware threat out there affecting an estimated 5.3 billion — yes, with a B, not an M — Bluetooth-connected devices (computers, smartphones, speakers, keyboards, and much, much more). That’s about 65 percent of all 8.4 billion Bluetooth devices in the world.
It seems that this insidious new breed of malware can slip right past most conventional device security methods, doesn’t require the victim doing anything reckless to get a foot in the door, and can spread rapidly to do a lot of damage in a short amount of time, all exploiting the simplicity that makes Bluetooth such a convenient way to easily connect wireless devices to one another.
The attack method, which they’re calling BlueBorne, is especially dangerous because it can spread without the victim doing anything or noticing it.
In a lot of cases, malware depends on people clicking on a link they shouldn’t have, or downloading a virus in disguise. With BlueBorne, all hackers need to spread malware is for their victims’ devices to have Bluetooth turned on, said Nadir Izrael, Armis’ chief technology officer.
And once one device has been infected, the malware can spread to other devices nearby with the Bluetooth turned on. By scattering over the airwaves, BlueBorne is “highly infectious,” Armis Labs said.
“We’ve run through scenarios where you can walk into a bank and it basically starts spreading around everything,” Izrael said […]
BlueBorne is a collection of eight zero-day vulnerabilities that Armis Labs discovered. Zero-day vulnerabilities are security flaws that are found before developers have a chance to fix them. That kind of exploit lets hackers execute malware remotely, steal data and pretend to be a safe network as a “man in the middle” attack.
It does this by taking advantage of how your Bluetooth uses tethering to share data, the company said. It’s able to spread through “improper validation,” Izrael said. The vulnerability affects devices on most operating systems, including those run by Google, Microsoft and Apple.
In response, Apple, Microsoft, and Google have all released patches they say successfully protect users of their devices from the danger. However, Apple users need to update their mobile devices to the iOS 10 operating system to make use of the patch, and Google says the responsibility for actually distributing their update to Android phones lies with individual carriers. Approximately 180 million out of 2 billion Android phones will not be getting the patch.
The potentially greater concern, though?
[U]pdates might not be as frequent for single-purpose smart devices like your smart refrigerator or a connected television.
Of the potentially impacted devices, Armis Labs estimated that 40 percent are not going to be patched. That’s more than 2 billion devices that will be left vulnerable to attacks, they warned.
“We’re looking at a forever-day scenario for many of these devices,” Parker said.
Ultimately, Armis advises that the one sure-fire way to protect yourself, no matter what device you have, is to simply turn off its Bluetooth function.