Phones, tablets and smartwatches may be at risk to 'BlueBorne' style attacks

A set of previously unknown security vulnerabilities in Bluetooth technology reportedly left billions of devices at risk of hacking, a team of internet-of-things (IoT) researchers has said.

Experts from Armis, a security firm, claimed this week (12 September) to have found a series of flaws that put up to 5.3bn devices with Bluetooth capabilities at risk of a highly-infectious type of attack. It could reportedly take over smartphones, smartwatches, TVs and laptops.

Based on a proof-of-concept, the security gaps – which have been dubbed "BlueBorne" – could be used by hackers to spread malware or intercept data.

This could occur via "man in the middle" cyberattacks without the need for any user interaction or clicks.

The flaws impacted "all" devices on Android, Windows, Linux and Apple iOS versions pre-iOS 10, Armis said.

Unlike traditional cyberattacks, the Bluetooth method doesn't need a victim to fall for a malware-ridden link or download a booby-trapped document.

Instead, it could take advantage of four critical zero-day bugs and spread "over the air".

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date and can enable a complete takeover of the target device," experts asserted.

If Bluetooth is enabled, Armis explained in a YouTube video, a hacker could connect to the device and force surrounding web-connected technology to become a "carrier" for the virus.

"These silent attacks are invisible to traditional security controls and procedures," said Yevgeny Dibrov, the chief executive of Armis, in a statement.

"Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," he added.

Armis said that it first reported the vulnerabilities to Google, Microsoft and Linux in April and patches have now been released as part of vendors' regular scheduled updates.

Users are recommended to urgently download all security fixes to stay safe.

Ars Technica reported that the time to exploit a device was "no more than 10 seconds" and that it would theoretically work even if a device was already paired with another. A spokesperson for Microsoft claimed it first released patches for BlueBorne in July this year.

It said that its Windows phones were not impacted by the attack vector.

"Previously identified flaws found in Bluetooth were primarily at the protocol level," Armis claimed. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."

Man looking at phone
'Billions' of devices are reportedly at risk iStock

In many ways, if it takes hold, the flaw resembles a digital airborne virus.

While the total number of potentially-at-risk devices is astounding, there has seemingly been no known cases of hackers using the technique to exploit Bluetooth in the wild.

But that may change as it will continue to impact devices which no longer receive security updates and bug fixes.

"The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive," researchers said.

For a full run-down of the technical aspects, see the paper here.

"In theory, to be safe on these devices, Bluetooth needs to be disabled until a patch is applied," said Mark James, an expert at cybersecurity firm ESET.

"If no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained," he added. "When exploits like these are found on technology that is integrated into almost every device we use, it's a real concern."