Skip to main content

Expert says risk of Bluetooth ‘BlueBorne’ attacks across multiple devices overblown

Security firm says 'BlueBorne' is only a risk if your device isn't updated

Bluetooth was originally created in 1998 to serve as a secure short-range wireless connection between two devices. It pairs our wireless mice to our laptops, our smartwatches to our smartphones, and so on. But a recent report published by security firm Armis points to eight Bluetooth-related vulnerabilities — four of which are critical — that reside on more than 5 billion Android, Windows, Linux, and pre-iOS 10 devices. The company dubs this “epidemic” BlueBorne.

“These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date,” Armis said on September 12. “Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device.”

Recommended Videos

The problem starts with the complexity of Bluetooth itself. The specification stretches across 2,822 pages, which is massive compared to the base Wi-Fi specification (802.11), which consists of only 450 pages. Because of its complexity, Bluetooth does not receive the same scrutinized audits as other less-complicated protocols. That means vulnerabilities get buried as Bluetooth evolves.

Many issues prior to Bluetooth v2.1 were resolved with the introduction of Secure Simple Pairing, thus the security community shifted its attention away from Bluetooth. But a thorough inspection still needed to be performed and Armis says that its discovery of eight vulnerabilities in a recent analysis of Bluetooth could very well be “the tip of the iceberg.”

Overall, the BlueBorne set of vulnerabilities can enable a hacker to take control of a device, access its content, and use it to infect other Bluetooth-enabled devices with malware. Outside the actual vulnerabilities, the root of the issue stems from keeping Bluetooth turned on. A device will listen for Bluetooth traffic even if it is not set to discoverable mode, so all a hacker needs to know is its Bluetooth device address (BDADDR), and its MAC address.

But how do you get this information? By using open-source hardware sold online that can sniff out encrypted Bluetooth connections passing through the air. These packets of information contain plain text data pointing to the Bluetooth device address. Hackers can then use that address to send unicast traffic if they are within physical proximity of the target device: 33 feet for mobile phones and headsets, and 328 feet for laptops and desktops.

“If the device generates no Bluetooth traffic, and is only listening, it is still possible to ‘guess’ the BDADDR, by sniffing its Wi-Fi traffic,” the firm explains. “This is viable since Wi-Fi MAC addresses appear unencrypted over the air, and due to the MACs of internal Bluetooth/Wi-Fi adapters are either the same, or only differ in the last digit.”

But according to Mike Weber of cyber risk management service provider Coalfire, there is no need to panic. There are no known instances of hackers taking advantage of the vulnerabilities. Even more, creating malware to possibly attack a multitude of devices spanning Windows, iOS, and Linux in a single sweep would be extremely difficult. The discovery of the vulnerabilities only points to possibilities, not an actual attack in the wild.

“If you are on a device that is no longer supported, cannot be updated, or has not yet received a patch from a vendor, it is recommended to keep Bluetooth on the device turned off except when necessary,” Weber suggests.

Microsoft produced a patch for Windows on September 12, 2017. Apple nuked the vulnerabilities on its products with the release of iOS 10, but all devices running iOS 9.3.5 and older are still vulnerable. Google patched the issues on Android 6.0 (Marshmallow) and Android 7.0 (Nougat) on August 7, 2017, but if you’re still worried about BlueBorne, Armis Security provides an app on the Google Play Store.

Updated: Now reflects new information provided by Coalfire.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
A coding blunder just ruined a moment of joy for lottery winners
Eurojackpot lottery slips.

Imagine the joy of being notified of a huge lottery win. What would be the first thing you’d do? Get the champagne in? Book a fancy vacation? Call your boss and tell him where to go?

And then imagine being informed that the notification had, in fact, been sent in error. Well, you can always send the booze back and cancel the holiday, but trying to convince your boss that you were just joking ... well, that may be a bigger challenge.

Read more
This TP-Link Wi-Fi 6 router is 45% off in early Prime Day deal
The TP-Link AX1800 Archer AX21 Wi-FI 6 Router on a white background.

If you're planning to buy a new router to improve your home's Wi-Fi network, the good news is that you don't have to wait for Prime Day 2025 to take advantage of huge discounts on router deals from Amazon. Here's an excellent offer — the TP-Link Archer AX21 with an eye-catching 45% discount, which drops its price from $100 to just $55. The $45 in savings will only be available for a limited time though, so you better act fast and proceed with your purchase immediately as this early Prime Day deal may disappear at any moment.

Buy Now

Read more
Watch these AI humanoid robots play soccer like Mbappé … sort of
Humanoid robots playing soccer.

Watching these humanoid robots battle it out on the soccer field, you quickly realize that Kylian Mbappé and his fellow professionals really have little to worry about. At least, for now.

The footage (top) was captured last week in Beijing at the RoBoLeague World Robot Soccer League, China's first-ever three-on-three humanoid robot soccer league.

Read more