Mardi, 23 Avril 2019
Dernières nouvelles
Principale » New Bluetooth vulnerability can hack a phone in ten seconds

New Bluetooth vulnerability can hack a phone in ten seconds

13 Septembre 2017

The popular personal area network Bluetooth protocol used by nearly every modern mobile device is full of security holes that can be exploited by attackers, researchers have found.

Armis has identified eight vulnerabilities that could be employed for a BlueBorne attack: One Linux kernel RCE vulnerability, a Linux Bluetooth stack vulnerability; four Android vulnerabilities; a vulnerability affecting all versions of Windows since Vista (patched this week by Microsoft); and a vulnerability in iOS versions prior to 10.

Armis says it affects computers running Windows and Linux as well as IoT gadgets and mobile devices powered by Android and iOS. Even after these (and more such) technologies and services, Bluetooth remains one of the most convenient ways to share whatever data you have with other devices, not forgetting audio and video streaming and other similar uses. The researchers envision a worst-case scenario in which a major ransomware attack, like WannaCry from earlier this year, spreads like wildfire, jumping from phone to phone and "bricking" people's devices.

More information on the attack can be found below. If your device has Bluetooth and is on then it is possible for an attacker to take complete control of it from 32 feet away.

The BlueBorne vulnerabilities were discovered by internet of things (IoT) security firm Armis, which first responsibly reported the flaws to the impacted vendors, including Google, Microsoft and the Linux community.

Check Armis' page on the exploit along with the respective white paper (PDF) explaining BlueBorne in detail.

It said that its Windows phones were not impacted by the attack vector.

"We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe", a Google spokesperson told Engadget.

Ankara achètera à Moscou des systèmes antiaériens : Grincement de dents à l'Otan
En effet, la compatibilité entre les différentes forces armées est " fondamentale ", selon un responsable de l'organisation. Toutefois, l'annonce de la signature ne signifie pas que la livraison des S-400 est imminente, ni même scellée.

The researchers said they were concerned about BlueBorne because it spread through the air.

Get Data Sheet, Fortune's technology newsletter. The tech giant's Android ecosystem is fragmented across a wide variety of partners, such as phone manufacturers and mobile carriers, who are responsible for distributing patches developed by Google. Microsoft is planning to roll out security patches today that address the issue, so be on the lookout for your particular version of Windows. He also downplayed the likelihood of active BlueBorne attacks, noting that there's no indication either of the Broadcom chip vulnerabilities has ever been exploited in the wild.

In the interim, people can also disable Bluetooth until the proper patches are available and applied.

"Bluetooth is complicated. Too complicated", the researchers write in their whitepaper discussing the attacks.

While using Bluetooth is a canny way to automatically infiltrate user devices without permission, it means BlueBorne is bound by the signal frequency's short range, and only affects devices with Bluetooth turned on.

"These silent attacks are invisible to traditional security controls and procedures". All are at risk of being affected by Blueborne vulnerabilities. Armis' 40-person team is headquartered in Palo Alto, Calif. and Tel Aviv, and has raised $17 million in venture capital from investors such as Sequoia Capital and Tenaya Capital.

The automatic connectivity of Bluetooth, combined with the fact that almost all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive.

New Bluetooth vulnerability can hack a phone in ten seconds