Users of Bluetooth devices around the world can become victims of a new malware attack, according to security company Armis. The company claims to have found eight vulnerabilities collectively named BlueBorne. These exploits enable an attacker to get into a user’s phone without even touching it (or using the facial recognition feature on the iPhone X).

BlueBorne
cocoparisienne / Pixabay

More power to hackers

Any device with Bluetooth, such as computers and phones, can be attacked. The new malware can even seep into the Internet of Things (IoT).

“Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research,” the security company said.

Armis notes that an attacker can use the BlueBorne attack Vector to perform several things using the Bluetooth system, including remote code execution and “man-in-the-middle” attacks.

“This set of capabilities is every hacker’s dream,” the security firm says, adding that BlueBorne can be used for any malicious objective, such as data theft, cyber espionage, injecting ransomware and even creating large botnets.

Further, Armis noted that these types of attacks are not easily identifiable by traditional security controls and procedures.

How Blueborne works

Bluetooth devices connect to each other seamlessly, and thus, they are an easy target for hackers, according to researchers at Armis Labs. BlueBorne, however, poses a greater threat, simply because it could spread across devices without the victims noticing. Most malware spreads once the user clicks on a suspicious link or downloads content containing a virus in disguise.

Nadir Izrael, Armis’ chief technology officer, says the hackers would need Bluetooth to be active on the device they want to infect with the malware. After the malware enters the targeted device, it can be routed to other connected devices once the Bluetooth on those devices is switched on. BlueBorne can travel through the airwaves and could be “highly infectious,” the security company notes.

To carry out an attack using Blueborne, the first step for the hackers is identifying the devices with active Bluetooth connections around them. Such devices can be discovered even if the software does not show them in discoverable mode. The next step involves the attacker obtaining the MAC address of the devices to identify the operating system. Once all this information is available to the attacker, they can use it to launch a man-in-the-middle attack and then gain control of the device.

What devices are at risk?

According to the security company, Apple’s iOS devices on version 9.3.5 or before are at risk, but iOS 10 does not have that vulnerability. Microsoft also released a new update on Tuesday, claiming all that the vulnerabilities have been fixed. However, the real issue could be with Android, which have the biggest customer base.

The updates usually get delayed, as  third-party manufacturers that make the devices based on Android are responsible for providing the updates, notes Engadget. Google, for its part, already released the security updates for Nougat (7.0) and Marshmallow (6.0) as part of its September security updates.

BlueBorne can also attack millions of Bluetooth devices running a version of Linux. Armis states that the commercial and consumer versions of Linux can easily be attacked by using the Blueborne malware.