Bluetooth Vulnerable to Hack, Researchers Say

More than 5 billion smartphones and other Bluetooth-enabled devices are at risk of an invisible hack that spreads an infected device to nearby Bluetooth devices without any user interaction such as clicking on a booby-trapped link or downloading a malicious file, according researchers at IoT security firm Armis Labs.

Dubbed BlueBorne, the hack exploits security gaps in Bluetooth wireless technology and can be used to spread malware or capture data from smartphones, smart TVs, smart speakers like Amazon Echo, and smartwatches, according to press reports. The vulnerabilities are said to affect unpatched versions of devices running Android, Windows, Linux, and Apple iOS.

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date and can enable a complete takeover of the target device," experts told the International Business Times (IBT).

“BlueBorne spreads locally over the air via Bluetooth and a hacker does not need to pair with a target device,” Armis explained on its website. “If Bluetooth is turned on, a hacker can connect to the device, take control, and spread malware — all completely undetected by the user.”

What would a BlueBorne attack look like? “Imagine a delivery person with an infected device,” Armis said. “He drops off packages at a bank, which is typically a very secure location, but with BlueBorne the infected device can connect to and infect any other device around it via Bluetooth, such as a smartphone, smartwatch, laptop or any other Bluetooth-enabled device…As he continues to deliver packages, he unknowingly spreads the malware at each stop during his day. Each device he connects with can become a carrier of the malware.”

"These silent attacks are invisible to traditional security controls and procedures," Armis chief executive Yevgeny Dibrov said in a statement.

Armis said it first reported the vulnerabilities to Google, Microsoft, and Linux in April and patches have been released as part of regularly scheduled updates.

Most tech companies and organizations have addressed the issues — although there are exceptions, according to a report from Fortune: “Apple said it had already fixed the issue with its release of iOS 10 a year ago; however, people running earlier versions of the software are vulnerable. Microsoft said it released a patch during a regularly scheduled Patch Tuesday in July.”

"Customers who have Windows Update enabled and applied the security updates, are protected automatically," a Microsoft spokesperson told Fortune, and researchers said they expect Linux to release a fix soon.

Google is trickier because the Android ecosystem is fragmented across a wide variety of partners, such as phone manufacturers and mobile carriers, who are responsible for distributing patches developed by Google, Fortune reported.

"We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe," Google’s Aaron Stein told Fortune. He said Google's Pixel and Nexus phones would be updated automatically and partners including Samsung, HTC, and Sony and the wireless carriers Verizon, AT&T, and T-Mobile have had the patch for about a month.

Android users can find out if their device is vulnerable by downloading an app Armis developed to provide a check.

Most at risk are devices that no longer receive security updates and bug fixes.

The best way to protect against the hack is to download and stay up to date with all security fixes.

"In theory, to be safe on these devices, Bluetooth needs to be disabled until a patch is applied," Mark James, a cybersecurity expert with ESET, told IBT.

While the number of at-risk devices is astronomical, there are “no known cases of hackers using the technique to exploit Bluetooth in the wild,” according to the IBT report.

For more information on BlueBorne, including a list of devices at risk, visit

For a full run-down of the technical aspects, see the paper here.

Billy's picture

Don't you guys ever watch this site? Why do you allow spam posts?