Update: Massive Bluetooth vulnerability patched in September security update
Update #2 (9/14): Google has taken the first step to plug the massive Bluetooth vulnerability that is said to affect around two billion Android devices. A fix for BlueBorne has been included in the September security update, which is currently going out to devices from Google and other manufacturers. The update patches four of the vulnerabilities reported by Armis Labs, including two that were deemed critical by Google (via 9to5Google).
The patch has been made available to Android OEMs, but this is where Android’s biggest weakness becomes apparent once again. It could take months for the patch to reach many Android devices, and that’s the fortunate case. The hundreds of millions of phones that no longer (or never have) receive Android updates will remain vulnerable.
Update (9/13): Armis Security has released an official app that will tell you if any Bluetooth devices around you are vulnerable to BlueBorne. It’s a free app, and super easy to use. Just install it via the Play Store link below, tap the check button, and it will automatically scan for vulnerable Bluetooth devices around you.
Original post (9/12): According to a new report, roughly 5.3 billion of the 8.2 billion Bluetooth connected devices on the planet are vulnerable to a new exploit. Nearly every connected device on earth features Bluetooth and now over half of them are at risk from BlueBorne, a new zero-day exploit. BlueBorne targets vulnerable devices and spreads without the action or knowledge of the user. It’s being compared to the nasty WannaCry ransomware that spread around the globe earlier this year.
Here’s how it works: BlueBorne infects your device silently. Without any action on your part, it spreads to your device by taking advantage of how Bluetooth uses tethering to share data. It then acts as a trusted network and allows hackers to execute “man in the middle” attacks without you even knowing it. From there, it spreads to other vulnerable devices it detects. Researchers from Armis Labs who found the exploit were able to use it to create botnets and install ransomware.
The news isn’t all terrible. While BlueBorne does use eight zero-day vulnerabilities, patches have come out to fix it. All Apple devices running iOS 10 and newer, as well as all up-to-date Windows machines are safe. Google passed the patch onto partners in early August which means Nexus and Pixel devices with the latest updates are safe, but others will have to wait on OEMs to push the update.
September security update for Pixel and Nexus devices finally starts to roll out
The concern from here on out is what happens to 180 million of the two billion Android devices on the market that will never see another update. While informed users can simply just turn their Bluetooth off, all other unpatched devices will remain vulnerable as long as Bluetooth is active. This is especially scary because there has been an explosion of Internet of Things connected appliances and devices that have come onto the market in the last several years. Those devices may be slow to get a patch, or never get one at all. Armis Labs estimates that 40% of vulnerable devices are never going to be patched. That leaves over two billion devices on the market to act as potential virus hotspots.