This article was originally written and posted by Alfred Ng from CNET on September 12, 2017.
More than 5.3 billion devices with Bluetooth signals are at risk of a malware attack newly identified by an internet of things security company.
If you're not keeping count, that's most of the estimated 8.2 billion devices that use Bluetooth, which allows for our gadgets to connect and communicate wirelessly. Nearly every connected device out there has Bluetooth capability. Your phones, laptops, speakers, car entertainment systems -- the list goes on and on to even the most mundane gadgets.
Because those devices can connect to others effortlessly, Bluetooth has left an open attack point for hackers, according to researchers at Armis Labs. The attack method, which they're calling BlueBorne, is especially dangerous because it can spread without the victim doing anything or noticing it.
In a lot of cases, malware depends on people clicking on a link they shouldn't have, or downloading a virus in disguise. With BlueBorne, all hackers need to spread malware is for their victims' devices to have Bluetooth turned on, said Nadir Izrael, Armis' chief technology officer.
And once one device has been infected, the malware can spread to other devices nearby with the Bluetooth turned on. By scattering over the airwaves, BlueBorne is "highly infectious," Armis Labs said.
"We've run through scenarios where you can walk into a bank and it basically starts spreading around everything," Izrael said.
The attack echoes the way the WannaCry ransomware spread earlier this year. WannaCry allegedly used the NSA's EternalBlue vulnerability and infected computers on the same network, even though they never downloaded the virus. That ransomware infected hundreds of thousands of computers within several hours.
Ben Seri, Armis Labs' head of research, fears that BlueBorne will lead to a similar massive outbreak. In several trials testing out BlueBorne, researchers were able to create botnets and install ransomware using Bluetooth, all under the radar of most protection.
"Imagine there's a WannaCry on Bluetooth, where attackers can deposit ransomware on the device, and tell it to find other devices on Bluetooth and spread it automatically," said Michael Parker, the company's vice president of marketing.
BlueBorne is a collection of eight zero-day vulnerabilities that Armis Labs discovered. Zero-day vulnerabilities are security flaws that are found before developers have a chance to fix them. That kind of exploit lets hackers execute malware remotely, steal data and pretend to be a safe network as a "man in the middle" attack.
It does this by taking advantage of how your Bluetooth uses tethering to share data, the company said. It's able to spread through "improper validation," Izrael said. The vulnerability affects devices on most operating systems, including those run by Google, Microsoft and Apple.
The three companies have released patches for the vulnerability. Apple confirmed that BlueBorne is not an issue for its mobile operating system, iOS 10, or later, but Armis noted that all iOS devices with 9.3.5 or older versions are vulnerable. Microsoft released a patch for its computers in July, and anybody who updated would be protected automatically, a spokesman said. Google said Android partners received the patch in early August, but it's up to the carriers to release the updates. Pixel devices have already received the updates.
Of the 2 billion devices using Android, about 180 million are running on versions that will not be patched, according to Armis.
The concern is the multitude of devices that will not be getting updates. Google, Microsoft and Apple are tech titans that regularly update their products for security. But updates might not be as frequent for single-purpose smart devices like your smart refrigerator or a connected television.
Of the potentially impacted devices, Armis Labs estimated that 40 percent are not going to be patched. That's more than 2 billion devices that will be left vulnerable to attacks, they warned.
"We're looking at a forever-day scenario for many of these devices," Parker said.
You can turn off your Bluetooth to prevent attacks if you won't receive the patch, Armis advised.