Because you need to know what’s up and what to do about it.
We got to see something cool and terrible (yes, it’s possible to be both at the same time) earlier this week when Armis Security published the details of a new Bluetooth exploit. Called “Blueborne,” the exploit allows a person with the right tools and who is within Bluetooth range of your smart thing — laptop, phone, car, or anything else that runs Android (as well as most every other operating systems, including iOS and Windows) — to gain control over the device without any action from the user.
That’s because the exploit cleverly attacks portions of the software needed to establish a connection to hijack the Bluetooth stack itself, which is pretty much done in a universal way because of how complicated Bluetooth is and how the stack itself handles so many things the OS could be doing instead.
Interested yet? If not, you should be.
Before we go any further, here is the good(ish) news: Apple, Google, and Microsoft have all patched the exploit. On the Android side, we saw the fix in this month’s security patch released the same day the vulnerability was made public. This surely isn’t a coincidence and kudos to Armis for working with the companies who write the software we all use every day to get this fixed. Of course, almost every Android-powered device doesn’t yet have this patch and won’t for a while.
I’ll resist the temptation to make this all about Android’s update woes and the million-and-one different reasons that it happens. I’ll just say that if you value being protected against most vulnerabilities like this you currently have three options: an Android-powered device from BlackBerry, an Android-powered device direct from Google, or an iPhone. You decide what to do here.
Instead let’s talk about what Blueborne is and how it does it, as well as what you can do about it.
What is Blueborne?
It’s a series of simple attacks on various parts of the Bluetooth stack running on almost every smart device in the world. Including 2 billion Android phones. It’s not a MiTM (Man in The Middle) attack, where someone intercepts Bluetooth traffic between you and a thing you’re connected to. Instead, it’s posed as a device that wants to discover and connect over Bluetooth but the exploit happens before the connection attempt gets to a stage where a user needs to act.
For people into this sort of thing, the short version of how the exploit works on Android is that the attacker sends out a discovery query, then manipulates both the timestamp and size of a second discovery query for a separate service to the same machine. This causes a buffer underflow and bypasses the standard Bluetooth Security Management Protocols to hit the failsafe “just works” connection. While it sounds crazy that this works, it’s better than the default BlueZ stack version of the exploit which is a straight-up buffer overflow that bypasses every connection – Source