The "BlueBorne" flaws would allow a virus to leap from device to device, regardless of the operating system being used. The only pre-condition is that Bluetooth needs to be turned on, and then the hacker can easily connect to the device, take control, and spread malware, all of this without ever letting the user know that his device is compromised.
Currently, there are around 8.2 billion Bluetooth-enabled devices in the world today, meaning 8.2 billion potential access points for BlueBorne. Armis told numerous affected tech companies about the flaws well before informing the public-an approach known in the industry as responsible disclosure-so they've had a chance to push out patches.
Based on a proof-of-concept, the security gaps - which have been dubbed "BlueBorne" - could be used by hackers to spread malware or intercept data. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices.
The vulnerabilities are not located in the Bluetooth protocol itself, but in the individual Bluetooth implementations - or stacks - that are present in Android, Windows, Linux and iOS.
Google and Microsoft both subsequently released updates by the beginning of September 2017, for their affected devices, which included all Android phones of every version and every Windows computer since Windows Vista.
Ars Technica reported that the time to exploit a device was "no more than 10 seconds" and that it would theoretically work even if a device was already paired with another.
Meanwhile, iOS devices running iOS 9.3.5 or lower and AppleTV on 7.2.2 or lower are open to the attack.
Up until now, Bluetooth has been notable for the dearth of critical vulnerabilities found in the specification or in its many implementations, with Armis being aware of only one code-execution flaw, in Windows, one that Microsoft fixed in 2011.
"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date and can enable a complete takeover of the target device", experts asserted. "It doesn't require the user to make a mistake, or have a device in a discoverable mode". Linux devices released since October 2011 (3.3-rc1) are affected by the remote code execution bug (CVE-2017-1000251). Microsoft even put out a patch for this issue back in July, so Windows is also protected as of now. "Unfortunately in these cases, many connected devices don't allow for patch management and become easy targets", he added.
Microsoft has begun sending out security patches to all Windows versions as of 10 a.m., September 12, putting the details available online. As always, when a smartphone automatically receives security updates, these connected devices are likely to never be updated by their manufacturer or owner. Also keep an eye out for patches applicable to any mobile devices and platforms you use.
Now, while we'll be the first to admit that this attack, christened Blueborne, has a limited audience given the relatively short range, imagine the havoc it could wreak in a simple coffee shop? Turns that Bluetooth into a rotten black one.