BlueBorne: Most IoT Devices at Risk
By Joyce Deuley
Yesterday, security group Armis Labs released its report on the latest in Bluetooth vulnerabilities, BlueBorne. According to the report, “IoT attack vector, ‘BlueBorne’ exposes almost every connected device.”
This threat is particularly nasty in that it is an “airborne” vector that targets the weakest point in a network and can have devastating effects on computers, mobile devices (Android, Google, iOS), “and the expanding realm of IoT devices.”
TechCrunch posted a video of Armis’ demonstration of a BlueBorne attack, showing that a phone can be hacked within 10 seconds, and shared a quote by Ralph Echemendia, CEO of Seguru: “BlueBorne affects pretty much every device we use. Turns that Bluetooth into a rotten black one. Don’t be surprised if you have to go see your security dentist on this one.”
Surpassing other forms of attack, BlueBorne penetrates “secure ‘air-gapped’ networks, which are disconnected form any other network, including the Internet,” and can enable attackers to carry out a variety of objectives: cyber espionage, data theft, ransomware, and botnets (e.g. Mirai or WireX).
Though the total number of IoT devices deployed worldwide tends to fluctuate, it is currently estimated that 8.2 billion IoT devices are currently at risk. Armis classifies this as a comprehensive and severe threat: “Bluetooth enabled devices are constantly searching for incoming connections..not only those they have been paired with.”
This means that not only does BlueBorne not require user interaction, but it also doesn’t require the Bluetooth to be “active”. On top of that, this next-gen attack is compatible with all software. Essentially making BlueBorne “one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected,” (Armis).
The Verge released an article yesterday in response to the Armis report, citing some limitations to BlueBorne, and some precautions that could be taken. While the most secure thing to do would be to not utilize Bluetooth continuously, but—more reasonably, users should update their devices with the most recent security updates. Though it should be pointed out that some systems may not have released a patch yet for all of their devices.
Limitations of BlueBorne include: specific vulnerabilities are different between operating systems, making more generalized attacks across multiple systems at once more unlikely, and the attacks need to be completed near the hackers. As they say, location is everything.
In an increasingly connected world, the severity of cyber attacks also increases. It is clear between the recent attack on Equifax and the discovery of new vectors like BlueBorne, we need to become more vigilant and resilient as those that are actively trying to exploit the systems we use.