Researchers discovered a new attack vector, “BlueBorne,” along with eight zero-day Bluetooth vulnerabilities, four of which are critical, that could allow an attacker to remotely control Bluetooth-enabled devices and install malware that can rapidly jump from one device to another on the same network.
Mobile device manufacturers were notified of the Bluetooth vulnerabilities in April of this year, so the vulnerabilities have been patched in the majority of new phones. However, devices with older software may be at risk.
Specifically, iPhones running iOS 10 or later have received the update. However, older iPhones such as iPhone 4 may still be vulnerable. Google is in the process of issuing updates for Android devices running Android 4.4.4 (Kit Kat) or later, but many Android devices, including the Google Pixel and Samsung Galaxy phones, remain vulnerable. Microsoft issued a patch in July for Windows devices with Bluetooth (e.g., most laptops).
For more information and a complete list of affected devices, see Armis Labs' advisory: https://www.armis.com/blueborne/#/technical.
ACA Aponix Guidance
ACA Aponix recommends taking the following precautionary steps to prevent this attack from affecting your devices:
- Keep Bluetooth turned off on mobile devices when possible, particularly on public Wi-Fi networks and when connected to a network with many other devices, such as your office.
- Make sure your mobile devices and laptops are up-to-date with the latest software patches and install future updates as soon as they are released.
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.