A newly-discovered vulnerability is leaving over IoT devices open to a Bluetooth cyber attack dubbed "BlueBorne," according to IoT enterprise security company Armis.
Armis, which announced the vulnerability on Tuesday, said that as many as five billion Android, iOS, Linux and Microsoft devices could be left vulnerable – meaning that hackers could take over the devices, spread malware, or gain access to critical data and networks.
"This exploit allows individuals to take over the device via Bluetooth, and it takes place at the implementation level, not the protocol level, meaning that no pairing is required," Michael Parker, vice president of marketing at Armis, told CRN. "That means the attacker can come into a device unnoticed by users and it's not stoppable by firewalls or endpoint protection."
Armis said that BlueBorne is "the most serious Bluetooth vulnerability identified to date," because the exploit can take place at the implementation level as opposed to the protocol level – meaning that the vulnerabilities bypass authentication methods and enable hackers to overtake the device completely.
Most devices with Bluetooth capabilities – such as smartphones, smart TVs, and automobile audio systems – are vulnerable to the attack, said Parker.
Ben Seri, head of research at Armis, said there are two ways attackers can use to exploit the devices. They could connect to a target device in an undetected manner before remotely executing code on the device so that they could take full control of a system. Also, they could create a "Bluetooth Pineapple" to sniff out traffic being sent Bluetooth devices, hijack this connection, and redirect traffic.
According to Armis, Google and Microsoft are releasing updates and patches starting on Tuesday, while other vendors are preparing patches "in various stages of being released."
However, Parker said that up to 40 percent of the 5.3 billion impacted devices probably would not be patchable – mainly because they are IoT devices, like smart refrigerators, that cannot be easily updated.
Right now, Armis said that users could disable Bluetooth to protect their connected devices while waiting for the patch.
Bill Frank, vice president of Security Services at INN04, a Boston, Mass.-based Armis partner, said that the channel's assessment capabilities could help an organization detect these types of vulnerabilities. Ultimately, he said, it is up to the manufacturers to provide patches, as well as the customers to upgrade their connected devices, to avoid BlueBorne.
"The main issue with BlueBorne is that in the past it's been hard to compromise a smartphone, but now you only need to be near someone's phone and connect via Bluetooth," he said. "It will be awhile before all these devices are patched, but there will be some ramifications to this as it will put some pressure on the carriers to do updates and patches faster."