"This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering)". This includes Samsung's Gear S3 smartwatch, its smart TVs and family hub.
In a lot of cases, malware depends on people clicking on a link they shouldn't have, or downloading a virus in disguise. Nonetheless, Motherboard noted that "the fact that they depend on the limited range of Bluetooth and that would-be hackers would need to develop separate exploits for each different device and operating system makes them impractical to target victims at scale". Smartphones and tablets manufactured by every major phone maker from Apple to Samsung as well as computers and other devices that are likely to house sensitive personal or business information are all Bluetooth-enabled.
As reported on Forbes; The flaws found by Armis are particularly risky because they can be exploited over the air without any type of authentication or device pairing. "The research illustrates the types of threats facing us in this new connected age". The attack follows how WannaCry ransomware spread earlier this year using NSA's EternalBlue vulnerability. BlueBorne is highly infectious as it spreads further via the victim devices.
Bluetooth is a hard protocol to implement, and the researchers are concerned that the vulnerabilities they found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities. Zero-day vulnerabilities are security flaws that are found before developers have a chance to fix them. The attack essentially takes advantage of how Bluetooth uses tethering to share data and is able to spread through "improper validation".
Ars Technica weighed in: "Izrael said he expects Linux maintainers to release a fix soon". The researchers have informed Microsoft, Google, Linux, and Apple about the new "BlueBorne" attack, and some of these companies have even rolled out patches for it.
Thankfully, patches for the vulnerability are available. Google and Microsoft issued updates, while Apple detected no vulnerabilities in its latest OS. Microsoft released a patch for its computers in July, and anybody who updated would be protected automatically, a spokesman said. Google is issuing a security patch for Android 7 Nougat and Android 6 Marshmallow and is now notifying manufacturers to push the update out ASAP.
Armis offers a Google Play app to test whether Android devices are at risk.
It's time to update your device to avoid any mishap.
The slightly good news is that platform vendors have already been informed and have started rolling out security updates for their users.
The Armis Labs site overview pointed to what could go wrong. Once they successfully exploit the device, they can penetrate the operating system, taking complete control of the device.
"There could be quite a few more coming after this", Mr Miller said.