It has been reported that, according to Purdue University researchers, billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed over the summer.
This vulnerability is yet another example that nothing is flawless from a security perspective in this world. However, accepting this simple fact that is actually empowering: Once we have done this, we can put procedures and measures in place to help us find potential problems in our network as fast as possible. It is for this reason that the concept of NDR is gaining traction so quickly; As an industry we must strive to reduce our MTA (Mean time to answer) questions about malicious activity to a diminishingly small number.
This is just the latest discovery to involve security issues with Bluetooth connections. It is a constant back and forth between Bluetooth radio manufacturers, who scramble to fix flaws via firmware updates, and bad actors that scramble to exploit the flaws before they\’re fixed. This recent flaw appears to affect users of numerous devices, including iOS and Android.
Unfortunately, as it has been with previous Bluetooth bugs, sys admins face a nightmare of attempting to patch all vulnerable devices, and that\’s only if there is a patch available. It is also unfortunate that standard users of mobile and other devices will not patch their devices if and when a patch becomes available.
As with any piece of technology we use today, there is the potential that they could be employed incorrectly. We usually hear about instances of cloud storage not being correctly configured, resulting in a significant data leak. In this case, whereby communication technology enterprises are not deploying the necessary security procedures, is nothing new. Rather, it is a shortcut. These shortcuts tend to improve the usability of their technology or the product deploying their technology.
In order to improve security, these organisations need to take additional steps which might prevent it from being user-friendly, or at least seen as user-friendly by customers. Consider the step of inputting a simple password every time you use your phone. For some, this is normal; for others, it is a burden and thus, they do not deploy such measures on their device. Now consider asking users to approve a Bluetooth connection with their headphones or with their car. Security savvy individuals would not mind doing so, however, the majority would see this as a burden. Therefore, these shortcuts are often used as a means of boosting usability and unfortunately, destroying security. This is ill-advised. Such shortcuts on phones, IoT devices and other technology should not be made possible by the technology itself. Moreover, users should demand more security and interaction points where they can approve actions, rather than allow them without supervision.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics