News has broken that Armis has identified a new airborne cyber threat, “BlueBorne,” that exposes almost every device to remote attack.
Eight Bluetooth-related vulnerabilities (four that are critical) affecting over 5 billion Android, Windows and Linux devices could allow attackers to take control of devices, access corporate data and networks, and easily spread malware to other devices
Armis, the enterprise IoT security company, today announced the discovery of a set of zero-day Bluetooth-related vulnerabilities affecting billions of devices in use today dubbed, “BlueBorne.”
Nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs, and even some automobile audio systems, are vulnerable to this attack. If exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a “man-in-the-middle” to gain access to critical data and networks without user interaction.
Mark James -Security Specialist at ESET
“When exploits like these are found on technology that is integrated into almost every device we use, it’s a real concern. We talk about the need for IoT security and the concerns around the rate of increase in uptake for these interconnected devices, and how if vulnerabilities are found they could enable an attacker to compromise and possibly completely takeover the device.
In this case Bluetooth is the technology in question. This is found on virtually all our modern day devices in one form or another. We don’t know if attacks exist using this exploit yet, but something this widespread could cause serious problems if not fixed soon. The big vendors will act quickly to get patches out to ensure their users are protected and safe, but the real problems are the millions of devices that don’t get updates or are unable to be updated at all.
In theory, to be safe on these devices, Bluetooth needs to be disabled until a patch is applied and if no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained.”
Jackson Shaw – One Identity
“Analyst firm Gartner touts, as do many IoT vendors, that 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. While this statistic is impressive, you pale when you realize that any kind of security breach related to IoT will have massive scale and effect. This is a clear example of that. It is also should be a wake-up call that better vulnerability and penetration testing is a must for all IoT vendors. It’s time for the IoT Cybersecurity Improvements Act of 2017 to be debated and enacted.”
Lamar Bailey, senior director of security research and development at Tripwire
“Bluetooth is everywhere from your laptop to your front door lock. The vulnerabilities in Blueborne are very wide spread and patches will be coming out for months. Bluetooth should be treated like any open port if you do no need it then turn it off. That may not always be easy with Bluetooth keyboards and mice/trackpads but in situations where non-employees are within 40 feet of systems, like banks at teller windows, it is best to use wired input devices and not reply on Bluetooth.
This is especially scary for IoT devices. Many of the vendors will not have patches either because they do not now they are vulnerable, will not know how to patch the issue, or will consider the products out of support and just release new versions. Consumers should look at the devices they won and contact the vendors to see if they are vulnerable. The larger well-established vendors should be putting out information in their support section and contacting registered customers.”