More than 8.2 billion devices use Bluetooth. Most of our Internet of Things (IoT) devices employ Bluetooth to connect and communicate with each other. In fact, most computers have Bluetooth capability as well.
This includes your laptop, tablet, smartphone, smart TV, home alarm system, garage door, smart car, smart refrigerator, keyboard, mouse, speakers, baby monitor, mattress, beacons, fitness device, personal home assistants, smart socks, medical devices and the latest microchip implants. If it is a connected device, you can bet the farm that it has Bluetooth.
Let’s face it–these devices not only make our lives easier and more fun but are saving lives too. You may have a personal home assistant that you connect to all your devices. With a simple voice command, you can tell one device to make sure to record your favorite TV show, play music on your tablet, call or text anyone on your phone, find the perfect restaurant for dinner and book reservations, post to social media, pay a bill, order new boots, turn on your car remotely as you finish your coffee, keep track of your exercise devices, remind you that you haven’t taken enough steps today, or even settle arguments with a family member by having the device play back conversations verbatim of who said what. Even if you don’t have all your devices connected to one single device, you can still do all these exciting things. What is important is be conscious of the vast amount of information about us, some of it sensitive, that is stored or accessible by these devices.
We live in an “everything connected” world, which is great. But there’s a catch: we increasingly run the risk of the devices we rely on for basically everything becoming targets for hackers. Because there are so many different types of connected devices with varying levels of sophistication, operating systems and security, it’s a real challenge to keep them all safe from hackers. And some devices are more vulnerable by nature than others. Most of these devices can connect seamlessly with each other through Bluetooth.
Cyber research company Armis Labs has found a collection of zero-day exploits they named BlueBorne that puts over 5.3 billion Bluetooth devices at risk of serious compromise. A zero-day exploit is a brand-new piece of malicious code. What makes this such a nasty collection of malware is that it spreads and infects other devices without the victim having to click or download anything. If Bluetooth is turned on, any device vulnerable to the attack can be infected in seconds potentially giving a hacker full access to your data. The cherry on top is that it will then turn your device into a spreader of the malware. For example, if you have Bluetooth turned on your smart phone and you walk into a grocery store, any BlueBorne-infected Bluetooth device can infect your smart phone within seconds. You take your phone in to work and suddenly you could be infecting every Bluetooth device in the office, provided Bluetooth is activated. In a demo of BlueBorne by Armis Labs, there were some visual cues that could alert a user that something was odd, such as a phone in sleep mode waking up, but typically the victim is none the wiser that a malware infection has taken place. Armis Labs has stated that the vulnerability can affect most operating systems including Google’s Android, Apple’s iOS, and Microsoft’s Windows if not updated.
The scary part is that even though newer mobile devices running updated operating systems can be patched for protection against malware like BlueBorne, the vast majority of the world’s mobile devices run on older versions of operating systems that have reached end-of-life and are no longer updated by manufacturers or mobile carriers. These billions of devices pose the biggest risk for malware infection.
What I find to be the most frightening aspect to BlueBorne, is the precedence it sets. We have seen hackers using this method of infection with the WannaCry ransomware by easily going from machine to machine but in almost all cases, a user had to click a link or download something to have the first infected device or become patient zero. It is only a matter of time before a stealthier, silent, similar type of attack in which patient zero does nothing to get infected is used with the potential to wipe devices, lock them, hold them for ransom, exfiltrate personal data and worse in a wide-scale, massive sweep including the possibility to wipe or manipulate information on critical devices such as health implants or those used in critical infrastructure.
So now for some good news.
- Companies have/are releasing patches for BlueBorne.
- If you are running Apple iOS 10 and higher, you are patched against BlueBorne. However, if you are running iOS 9.3.5 or lower, you are vulnerable and should update now. Microsoft released a patch in July that protects Windows so make sure you are updated to the current patch level. Google has released an Android patch. Linux has also released patches.
- Because it is Bluetooth, the hack requires proximity to an infected device (roughly within a range of 300 feet).
- Many others device manufacturers are releasing patches.
- Some of your lower end “dumb” IoT devices may not even have the ability to store and/or pass along malicious code.
- Make sure that you have the latest patches and updates to all devices. • Until patched, you can always turn Bluetooth off to prevent malware infection.• Innovative solutions for securing devices are out there and new ones being developed.
What can you do?
- If you aren’t sure if your device has been patched or updated, contact the smart device manufacturer about security updates.
- Always use strong passwords and change them frequently.
- Remember that anything that is connected can be vulnerable now or in the future so make sure you are updating often with the latest security patches and software updates.
- Your employer’s IT department should put policies and guidance in place to provide information on using devices that may be connected to work-related devices or networks.
- Segregate less secure devices on a guest network separate from your more sophisticated devices like computers and smartphones and only allow devices the least amount of privileges possible.
- Typically, devices will have security settings to help protect you. Make sure you are using them.
- Review privacy and terms of services for all IoT devices.
- There are great free and paid subscription anti-malware and sandboxing protection tools for smartphones and for some IoT devices.
It is vital that we as users, employees and employers understand the threats to the devices we use and empower ourselves to use the right security tools for them. Along with this, it is critical that device manufacturers remain vigilant in staying ahead of the threat landscape and provide timely updates.