Security researchers reveal several new bugs that allowed hackers to hack into cellphones and computers simply because they had Bluetooth on.
Image: Lorenzo Franceschi-Bicchierai/Motherboard
For years, cybersecurity experts have told people to keep Bluetooth off as a precaution against hackers. Now, there's yet another reason to do so: a series of vulnerabilities in the way major operating systems implemented Bluetooth allowed hackers to take over your cellphone or computer whenever Bluetooth was on.
Researchers at security firm Armis disclosed on Tuesday eight "critical" Bluetooth vulnerabilities that allowed hackers to break into and take control of smartphones and computers with no user interaction, and no way for the user to know what was happening. According to the researchers, the the vulnerability affected virtually all Bluetooth devices, including Android phones, older iPhones, Windows computers some devices running Linux.
"The user is not involved in the process, they don't need to be in discoverable mode, they don't have to have a Bluetooth connection active, just have Bluetooth on," Nadir Izrael, the co-founder and chief technology officer for Armis, told Motherboard.
Ben Seri, the head researcher at Armis, showed me how he could take control of an out-of-the-box Google Pixel in a demo at the VICE office last week. Seri typed a few commands into a terminal on his computer and hacked into the Pixel, which gave him the ability to take a picture and move a mouse cursor within the phone from his computer's keyboard.
The researchers said that the bugs, which they dubbed BlueBorne, affected Android, iOS, Windows, and some Linux distributions. Microsoft confirmed the researcher's claims, and said that the company quietly patched the bugs with an update in July. A spokesperson said in a statement that "as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates."
Apple did not respond to a request for comment. A Google spokesperson said in an emailed statement that the company has released security updates to fix these bugs for versions 4.4.4 and higher of Android, and that Pixel devices should already be getting patches.
Greg Kroah-Hartman, a Linux kernel developer, also confirmed the existence of the bugs, and said there was a patch for Linux devices. Kees Cook, a Google engineer who works on Linux development, added that "most builds would not be vulnerable."
"There's a lot standing in the way between the bug existing and a wormable exploit coming out."
As well-known security researcher Collin Mulliner, who has studied the security of Bluetooth for years, told me, these bugs could be "bad bad," but there's no reason to panic. First of all, if you apply the patches you'll mostly be fine. Secondly, and contrary to Armis' claims, it's likely very hard to write an exploit that works on all platforms affected, which makes it unlikely that someone will be able to create a Bluetooth worm that propagates through different devices. Moreover, even with Bluetooth on, you're only vulnerable as long as you're in close proximity to the hacker.
"These are good bugs—or bad bugs depending on how you're going to look at it—but the impact they're gonna have is likely minimal," Dan Guido, the founder of the security research firm Trail of Bits, told Motherboard in a phone call. "There's a lot standing in the way between the bug existing and a wormable exploit coming out."
In other words, while these bugs allowed for complete takeover of devices—essentially game over for hacking—the fact that they depend on the limited range of Bluetooth and that would-be hackers would need to develop separate exploits for each different device and operating system makes them impractical to target victims at scale.
Either way, if you are not using it, just turn Bluetooth off.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.