A hacker could break into your phone, take control of your device, read all your messages, take all your passwords and watch all your browsing — all without you having to download a virus or even be connected to the internet.
Security researchers at Armis Labs were the first to identify what they call the “Blueborne” exploit. By using wireless Bluetooth technology, an attacked can spread a virus from device to device through thin air, all without needing a user to download a corrupted file or to even be connected to the internet at all.
After one device is infected, it can then spread to any other device with Bluetooth enabled, and then those will infect any other devices with Bluetooth enabled.
With more than 8.2 billion Bluetooth-enabled devices in operation around the world, the potential scale of the threat is chilling.
“Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats,” wrote Armis researchers.
Bluetooth is used by phones and other devices to share information with each other. It’s the technology that allows smartwatches, portable speakers, headsets, fitness devices and thousands of other devices to link up with your phone.
Usually, you need to manually perform a process to “pair” a device with your phone via Bluetooth. This exploit allows hackers to avoid all that.
“The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode,” said Armis.
Once the attackers are on your device, they can pretty much do whatever they want, the researchers said. That’s because Bluetooth usually has very strong permissions to access all the data on your phone — that’s how it tells your Apple Watch who’s calling you or what your current back account balance is.
So what can you do to protect yourself?
Some security fixes for the vulnerability have already been released by technology companies like Apple, so the first step is to make sure you’ve completely updated your phone and any of your Bluetooth devices. Another way is to switch your Bluetooth service off when you’re not using it.
Updates to help address the problem will keep coming, but experts say this is only the beginning. Technology companies can pump out security fixes as fast as they find vulnerabilities, but most of the time it’s up to the users to actually go in and install them.
It’s even worse for smart devices connected by the “internet of things.”
“When you start looking at your printers, the new TVs, new watches, home system, the medical appliances — they don't tend to get updated because they just sit there and people forget about them,” said Ty Miller, managing director of international cybersecurity firm Threat Intelligence in an interview with ABC.
Check out this video by Armis Labs that helps explain exactly how Blueborne works.