We often repeat that smartphones are inherently flawed in terms of security. The reason is they rely on several technologies that were never intended to provide security. Bluetooth is one such technology – and the BlueBorne attack recently reported by security firm Armis is a reminder of that.
The company describes the hack as a completely new attack vector. Unlike most hacking attempts that rely on some sort of social engineering to trick the user into clicking on a link or downloading a file, BlueBorne can seamlessly transmit malware over Bluetooth. The user doesn’t even have to be connected to the internet.
If hackers manage to infiltrate your device, they can:
- Listen in on your calls and read your messages. Even encrypted ones, because spyware can access them before they ever get scrambled;
- Infect your phone with ransomware and extort you to unlock it;
- Mine valuable data stored on your device, which is particularly concerning if you use the phone for work;
- Take control of your device and enlist it in a botnet, with which they can perform DDoS attacks on third parties;
- Use your phone to spread the malware further, and take control of numerous more connected devices.
How does the BlueBorne hack work?
Unlike what most people think, two devices don’t necessarily have to be paired to connect via Bluetooth. Everything that has Bluetooth enabled – and this could be phones, smart watches, TVs, laptops, desktops – and is within a 30-foot range is accessible. The technology doesn’t rely on Wi-Fi, 4G or any other type of network – the devices connect to each other over the air, completely peer-to-peer.
BlueBorne exploits that functionality and the fact that Bluetooth is high on the priority list of most contemporary systems. And it is a serious implication for banks, hospitals, and other establishments storing heaps of sensitive data. Such places secure their records by restricting physical access to them, as well as sealing networks from the outside. Since Bluetooth doesn’t need a network, it makes all enabled devices potential targets for infection even at such locations.
All а hacker needs is a laptop with Bluetooth that they can use to scan for other connected appliances in their vicinity. Once they do, they can view details about those devices – such as the OS type and their model. This is relevant information since it determines if they have the software flaws that make the hack possible. Then the attackers just unleash the malware on the nearby devices. The infection can reportedly take as little as ten seconds.
What can you do to avoid getting hacked?
Shortly after the news about BlueBorne broke out, Google said fixing the issue would be part of its September security patch for Android. But with the fragmented ecosystem of this OS, this means pretty much only Nexus and Pixel phones will be out of the attack’s scope when the patch is released. It might be a while until the patch trickles down to third-party vendors and manufacturers running their own versions of the operating system. (Which is the majority of the billions of Android phones around the globe.)
So, experts suggest that you turn off Bluetooth or stop using it altogether. This might be an inconvenience. But in reality, Bluetooth is not like most of your phone’s other functions – Wi-Fi, data connection, USB, camera or whatever. You don’t need it turned on all the time. And even if you do still use Bluetooth at home, you can turn it off when you are at a location where you might feel you’re potentially exposed to attack, or you’re with someone you don’t necessarily trust.