Security research firm Armis has disclosed eight new Bluetooth vulnerabilities it collectively calls "Blueborne" that take less than 10 seconds to penetrate and take over device with Bluetooth switched on, without the user having to connect to a compromised device or take any other action.
Armis disclosed the vulnerability to major vendors prior to the disclosure; fully patched Windows systems and Ios devices are protected, and an Android update is being pushed today for Google phones.
GNU/Linux distributions are expected to issue patches soon; users of Android and GNU/Linux should switch off their Bluetooth until the patch arrives, because both are especially vulnerable to the attack.
Surprisingly, the majority of Linux devices on the market today don't use address space layout randomization or similar protections to lessen the damage of Blueborne's underlying buffer overflow exploit, Armis Head of Research Ben Seri said. That makes the code-execution attack on that OS "highly reliable." Android, by contrast, does use ASLR, but Armis was able to bypass the protection by exploiting a separate vulnerability in the Android implementation of Bluetooth that leaks memory locations where key processes are running. Blueborne also massages Android memory in a way that further lessens the protection offered by ASLR. The result: Blueborne can carry out remote code-execution attacks on both OSes that are both stealthy and reliable.
Armis researchers haven't confirmed that code execution is possible against Windows' unpatched Bluetooth implementation, but they were able to carry out other attacks. The most significant one allows hackers to intercept all network traffic sent to and from the targeted Windows computer and to modify that data at will. That means attackers could use Blueborne to bypass personal and corporate firewalls and exfiltrate sensitive data and possibly modify or otherwise tamper with it while it's in transit. The Android implementation is vulnerable to the same attack.
Billions of devices imperiled by new clickless Bluetooth attack [Dan Goodin/Ars Technica]