Billions of Bluetooth devices are vulnerable to attack, according to researchers

Researchers at the security firm Armis say that some 5.3 billion Bluetooth-enabled devices are vulnerable to an attack they call BlueBorne. This concerns smartphones, laptops and wearables as well as IoT devices.

The BlueBorne attack published by Armis Labs researchers exploits eight zero-day vulnerabilities in the Bluetooth implementations of Android, iOS, Linux and Windows. Within about ten seconds it is possible to take over a Bluetooth device with the attack, without the user noticing, the claim is. According to the researchers, it is possible to use the attack to spread ransomware or malware to other Bluetooth devices, for example. A man-in-the-middle attack can also be carried out to, for example, send users to a fake login page.

The attack allows access if the affected device is not paired or is not searching for another Bluetooth device. Just turning on Bluetooth makes the devices vulnerable, according to the researchers. They state that 5.3 billion Bluetooth devices worldwide are vulnerable to the attack; it is estimated that there are about 8.2 billion devices with bluetooth in circulation.

The company shared its findings earlier this year with Google and Microsoft, among others. Companies have already released several patches in recent months. Microsoft will provide Windows with updates during its patch round this Tuesday. All Windows versions since Vista are vulnerable. Apple has already fixed the vulnerabilities in iOS 10. However, not all Bluetooth devices receive updates and therefore remain vulnerable.

For example, all Android versions older than 6.0 remain vulnerable, because there is no update for it. Google made the security update in the September security patch, which is available for Android 6.0 and newer. Devices that do not yet have this patch level are still vulnerable. Armis has created an Android app that allows users to check if their smartphone is susceptible.

Armis says he has contacted Samsung three times. However, the South Korean manufacturer has not responded once. In a demo video, the researchers show how they take over the Galaxy Gear S3 via bluetooth, by using vulnerabilities in Linux.

The security company has put several demonstration videos of the attack on YouTube. The company also shows how a Google Pixel smartphone and a Windows computer can be acquired. In a white paper they provide technical information about the attack and the vulnerabilities.