Bluetooth flaws put billions of devices at risk

The popular personal area network Bluetooth protocol used by almost every modern mobile device is full of security holes that can be exploited by attackers, researchers have found.

In their BlueBorne research paper [pdf], researchers Ben Seri and Gregory Vishnepolsky from security vendor Armis outline several zero-day vulnerabilities and other security flaws in recent Bluetooth implementations.

They outlined eight vulnerabilities that can be used to attack the Linux open source kernel and Google's Android operating system, as well as Microsoft Windows and Apple iOS.

Even when the Bluetooth feature is left in a non-discoverable state, devices running vulnerable implementations can be found with network sniffers, the researchers said.

Once found, attackers can exploit flaws in several Bluetooth layers to steal information and execute code remotely.

Simply leaving Bluetooth on can make a device vulnerable, Seri and Vishnepolsky noted. However, they said they were not aware of any active exploitation of the flaws.

Seri and Vishnepolsky have coded a scanner for the BlueBorne vulnerabilities and made it freely available on the Google Play app store.

Several new Android devices including a Samsung Galaxy S8+ and a Huawei P10 were found to be vulnerable by the BlueBorne scanner in iTnews testing.

Apple iPhones, iPads and the iPod Touch with iOS version 9.3.5 and earlier are vulnerable to the BlueBorne flaws.

Windows Vista and newer variants of Microsoft's operating system can be attacked with the Bluetooth Pineapple authentication bypass vulnerability that also affects Android.

The root cause behind the multiple vulnerabilites is an overly complex Bluetooth specification that spans 2822 pages.

Such a convoluted specification leads to weaknesses in the protocol that are hard to discover and remedy, the researchers said.

More than 8.2 billion Bluetooth devices are currently in use, they noted.

The researchers have reported the flaws to the affected vendors, but acknowledged that many Android devices will not be patched.

Google and Microsoft have both released patches for the vulnerabilities.