News has broken that Armis has identified a new airborne cyber threat, “BlueBorne,” that exposes almost every device to remote attack.
Eight Bluetooth-related vulnerabilities (four that are critical) affecting over 5 billion Android, Windows and Linux devices could allow attackers to take control of devices, access corporate data and networks, and easily spread malware to other devices
Armis, the enterprise IoT security company, today announced the discovery of a set of zero-day Bluetooth-related vulnerabilities affecting billions of devices in use today dubbed, “BlueBorne.”
Nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs, and even some automobile audio systems, are vulnerable to this attack. If exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a “man-in-the-middle” to gain access to critical data and networks without user interaction. IT security experts commented below.
Mark James, Security Specialist at ESET:
“When exploits like these are found on technology that is integrated into almost every device we use, it’s a real concern. We talk about the need for IoT security and the concerns around the rate of increase in uptake for these interconnected devices, and how if vulnerabilities are found they could enable an attacker to compromise and possibly completely takeover the device.
In this case Bluetooth is the technology in question. This is found on virtually all our modern day devices in one form or another. We don’t know if attacks exist using this exploit yet, but something this widespread could cause serious problems if not fixed soon. The big vendors will act quickly to get patches out to ensure their users are protected and safe, but the real problems are the millions of devices that don’t get updates or are unable to be updated at all.
In theory, to be safe on these devices, Bluetooth needs to be disabled until a patch is applied and if no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained.”
Jackson Shaw at One Identity:
“Analyst firm Gartner touts, as do many IoT vendors, that 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. While this statistic is impressive, you pale when you realize that any kind of security breach related to IoT will have massive scale and effect. This is a clear example of that. It is also should be a wake-up call that better vulnerability and penetration testing is a must for all IoT vendors. It’s time for the IoT Cybersecurity Improvements Act of 2017 to be debated and enacted.”
Lamar Bailey, Senior Director of security Research and Development at Tripwire:
“Bluetooth is everywhere from your laptop to your front door lock. The vulnerabilities in Blueborne are very wide spread and patches will be coming out for months. Bluetooth should be treated like any open port if you do no need it then turn it off. That may not always be easy with Bluetooth keyboards and mice/trackpads but in situations where non-employees are within 40 feet of systems, like banks at teller windows, it is best to use wired input devices and not reply on Bluetooth.
This is especially scary for IoT devices. Many of the vendors will not have patches either because they do not now they are vulnerable, will not know how to patch the issue, or will consider the products out of support and just release new versions. Consumers should look at the devices they won and contact the vendors to see if they are vulnerable. The larger well-established vendors should be putting out information in their support section and contacting registered customers.”
Gaurav Banga, Founder and CEO at Balbix:
“Critical servers and infrastructure in an enterprise can be attacked through laptop and mobile devices used by administrators to access or connect. Businesses need to assess the risk of malware being spread from a vulnerable user device to critical infrastructure using exploits targeting bluetooth and wifi. Continuous network discovery and monitoring can identify such high impact infrastructure that is at risk from such attacks.”
Kevin Bocek, Chief Security Strategist at Venafi:
“BlueBourne is a disturbing new attack on almost every computer, smartphone, and tablet. The alarming thing is that it will lead to people running or connecting to malicious applications and websites. This is why we urgently need every website and application to have a unique machine identity. Without this – the attacks as demonstrated with BlueBourne can run easily.
Businesses though have an easy solution to mitigate the vulnerability and attacks: make sure every web, desktop and mobile application has a unique machine identity that they maintain constant intelligence and control over. That way if something like BlueBourne drives users in the direction of something malicious they’ll be alerted or stopped and hence the threat is mitigated. BlueBourne is just one more reason why gaining control over machine identities now is so critical and urgent.?
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.