You intuitively know why you should bolt your doors when you leave the house, and add some sort of authentication for your smartphone. But there are lots of digital entrances that you leave open all the time, like Wi-Fi and your cell connection. It’s a calculated risk, and the benefits generally make it worthwhile. That calculus changes with Bluetooth. Whenever you don’t absolutely need it, you should go ahead and turn it off.
Minimizing your Bluetooth usage minimizes your exposure to very real vulnerabilities. That includes an attack called BlueBorne, announced this week by the security firm Armis, which would allow any affected device with Bluetooth turned to be attacked through a series of vulnerabilities. The flaws aren’t in the Bluetooth standard itself, but in its implementation in all sorts of software. Windows, Android, Linux, and iOS have been vulnerable to BlueBorne in the past. Millions could still be at risk.
So, yeah, turn off Bluetooth if you’re not using it, or nearby anyone you don’t trust. There might be some inconvenience when you bring your laptop to your desk and want it to connect to a Bluetooth mouse and keyboard. You might end up flipping the switch fairly often to use Bluetooth headphones. But you likely don’t use Bluetooth most of the time. Even if you lean on it all day at work, you can ditch it at a birthday dinner, or when you’re asleep. And if you use it 24/7 on your phone because of a peripheral like a smartwatch, you can at least turn it off on your other devices, especially any Bluetooth-enabled Internet of Things gear.
“For attackers it’s Candyland,” says David Dufour, the vice president of engineering and cybersecurity at the security firm Webroot. “You sit with a computer with a Bluteooth-enabled radio-just scanning for devices saying, ‘Hey, is anybody out there?’ Then you start prodding those devices to look for things like the operating system and the Bluetooth version. It’s a hop, skip, and a jump to start doing bad stuff.”
As overall device security improves, researchers and attackers alike have turned to ancillary features and components to find ways in. In July, researchers announced a bug in a widely-used Broadcom mobile Wi-Fi chip that put a billion devices at risk before it was patched. And in 2015, researchers found a critical flaw in Apple’s Airdrop file-sharing feature over Bluetooth.
And then there’s BlueBorne. iOS hasn’t been affected by the flaws since the 2016 iOS 10 release, Microsoft patched the bugs in Windows in July, and Google is working on distributing a patch (though this can take significant time). But in addition to endangering core devices like smartphones and PCs, BlueBorne has implications for the billions of Bluetooth-equipped Internet of Things devices in the world like smart TVs, speakers, and even smart lightbulbs. Many of these devices are built on Linux, and don’t have a mechanism for distributing updates. Or even if they do, they rarely receive them in practice. Linux is working on, but hasn’t yet issued, a BlueBorne patch.
“We wanted get the research community on board with this, because it didn’t take us a long time to find these bugs, one thing kind of led to another and we found eight really severe vulnerabilities,” says Ben Seri, the head of research at Armis. “Our assumption is there are probably a lot more. We want to get eyes and ears on this type of thing because it’s largely gone neglected by the research community and by vendors over the past years.”
When Bluetooth is on in a device, it is constantly open to and waiting for potential connections. So a BlueBorne attack starts by going through the process Webroot’s Dufour describes-scanning for devices that have Bluetooth on, and then probing them for information like device type and operating system to see if they have the relevant vulnerabilities. Once an attacker identifies vulnerable targets, the hack is quick (it can happen in about 10 seconds) and flexible. The impacted devices don’t need to connect to anything, and the attack can even work when the Bluetooth on the victim device is already paired to something else. BlueBorne bugs can allow attackers to take control of victim devices and access-even potentially steal-their data. The attack can also spread from device to device once in motion, if other vulnerable Bluetooth-enabled targets are nearby.
As with virtually all Bluetooth remote exploits, attackers would still need to be in range of the device (roughly 33 feet) to pull off a BlueBorne attack. But even with the extensive and productive BlueBorne patching that has already happened, there are still likely plenty of vulnerable devices in any populated area or building.
The Best Defense
The importance of Bluetooth defense has become increasingly clear, and the Bluetooth Special Interest Group, which manages the standard, has focused on security (particularly cryptography upgrades) in recent versions. But attacks like BlueBorne that affect individual implementations of Bluetooth are attracting attention as well. “Attacks against improperly secured Bluetooth implementations can provide attackers with unauthorized access to sensitive information and unauthorized use of Bluetooth devices and other systems or networks to which the devices are connected,” the National Institute of Standards and Technology noted in its extensive May “Guide to BluetoothSecurity” update.
You can’t control if and when devices get patched for newly discovered Bluetooth vulnerabilities, and you’re probably not going to stop using Bluetooth altogether just because of some possible risks. But apply every patch you can, and keep Bluetooth off when you’re not using it. “With security everything is kind of like the flavor of the week,” Webroot’s Dufour says. “So this week it’s Bluetooth.”
Security’s often a matter of weighing risk and reward, defense versus convenience. In the case of Bluetooth, it’s an easy call.