Yesterday, security firm Armis Labs disclosed a Bluetooth exploit dubbed “BlueBorne.” This insidious vulnerability puts billions of Android devices, among many others, with Bluetooth enabled at risk for take over. Fortunately, Google has issued a fix as part of the September security patch, but it will undoubtedly take a while for OEMs to push their updates.
“BlueBorne” only requires that a Bluetooth connection on a device be active. No user action is required, with devices not even needing to be paired. All a hacker needs to do is be in Bluetooth range of your device to take it over.
Once that occurs, a nefarious party will have full access to your phone, with one demo on a Google Pixel showing the phone being remotely accessed. For instance, apps — like the camera — and the file system can be accessed all while being “completely undetected by the user.”
Besides Android devices, Windows, Linux, and older versions of iOS are affected, with Armis Labs estimating 5.3 billion devices being vulnerable. Two billion of those are Android and include phones, tablets, and wearables. Armis cites a range of specific Android devices being vulnerable:
- Google Pixel
- Samsung Galaxy
- Samsung Galaxy Tab
- LG Watch Sport
- Pumpkin Car Audio System
Google has addressed the issue on Android with the September security patch that is rolling out now to the Pixel and Nexus devices. The patch for partners covers 6.0 Marshmallow and 7.0 Nougat, but it will likely take several months for all devices to get the fix.