BlueBorne: The Latest in the New Wave of Bluetooth-Based Attacks
Researchers at Armis have disclosed 8 different vulnerabilities affecting the modern Bluetooth stack implementation that could affect millions of devices across the world. These vulnerabilities, which range from information disclosure to remote code execution, do not require any user interaction and can be leveraged at any device with Bluetooth enabled.
Affected platforms include Android, iOS, Microsoft and Linux, which covers every device from smartphones to smart cars and every dumb IoT (Internet of Things) device in between. The firm has collectively named this pack of exploitive joy “BlueBorne,” stating that the attack can be theoretically used to compromise, infect, and spread to another device like an airborne virus.
The vulnerabilities were identified in April of this year, and vendors have started rolling out updates in order to protect users from attacks in a coordinated fashion. Microsoft made the first update in July, followed by Google and Linux in early September.
Apple’s products using the latest iOS and OSX versions were not affected; however, legacy devices using iOS 9.x will be permanently affected by this vulnerability. In addition, many devices, especially EoL (End of Life) devices, IoT and embedded devices will never receive patches to protect themselves from this attack.
Fortunately, the vulnerability does have some limitations. The first being the limitation of Bluetooth’s range, in which an attack can only be delivered within the effective 75 meters or so range of Bluetooth radios.
In addition, exploitation of these devices will not be universal, as an attacker would have to craft an exploit specifically targeting the OS of each affected device, thus preventing a truly wormable exploit or ‘airborne’ worm like the authors suggest. Not all devices are vulnerable to all 8 issues, half of which are critical and the (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog