A new Bluetooth security flaw has been discovered that would potentially allow an attacker to connect to a user device without authentication, according to a statement by the Bluetooth Special Interest Group. The statement says that, for the attack to be successful “an attacking device would need to be within wireless range of a vulnerable Bluetooth device”. While Apple protects against some forms of Bluetooth attack by requiring apps to ask user permission before a connection is initiated, vulnerability to so-called Man-In-The-Middle (MITM) attacks is less clear.
Bluetooth risks are rare but when they work, they can be extremely impactful. Such attacks can easily transfer files such as malware onto the target’s device, but they can also have the reverse effect and pilfer data onto the criminal’s machine in order to potentially extort the data owners.
With current social distancing guidelines in place, it makes this attack all that more difficult to pull off. However, this would likely happen on public transport so it is worth reminding people who keep their Bluetooth on all the time on the train to be mindful of accepting files and vigilant of this attack. It is also worth flushing out any old Bluetooth connections that may still allow a connection from devices you do not connect to anymore.