Microsoft and Google are two tech companies who have parched their devices to protect against several vulnerabilities found in Bluetooth. Security firm Armis has discovered eight separate vulnerabilities related to the short-range wireless connection network. Four of those vulnerabilities are described as critical.
Of course, Bluetooth is widely spread and is currently functional on 5 million devices. The connection method is common across Android, Windows, Linux, and all iOS devices before iOS 10.
Armis calls the collection of vulnerabilities BlueBorne and says the problems are “epidemic”:
“These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date,” Armis said on Tuesday. “Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device.”
Bluetooth was conceived in 1998 and quickly became the standard format for connecting two devices over a short distance. It has also been used to pair peripherals and accessories with devices.
However, it is also a complex platform with a specification running some 2,822 pages. In comparison, Wi-Fi specification is only 450 pages. Due to this complexity, Bluetooth is often left alone in terms of meeting protocols.
It also means, if attackers can get by the complexity, vulnerabilities can be buried and lost. BlueBorne gives hackers the ability to control a device and all of its contents. Because Bluetooth is a pairing network, attackers can also spread vulnerabilities and control to other devices.
You may think this would only be possible if Bluetooth is turned on for the receiving device. However, a device is always listening for a connection, so a hacker would simply need the device address (BDADDR).
“If the device generates no Bluetooth traffic, and is only listening, it is still possible to ‘guess’ the BDADDR, by sniffing its Wi-Fi traffic,” Armis explains. “This is viable since Wi-Fi MAC addresses appear unencrypted over the air, and due to the MACs of internal Bluetooth/Wi-Fi adapters are either the same, or only differ in the last digit.”