Whether you want to link your smartphone with your car radio, control lighting or transfer photos to your PC, Bluetooth is a practical tool for connecting two devices over short distances. But many manufacturers have implemented this wireless transfer process incorrectly.
All operating systems in widespread use are affected, from Microsoft Windows to Google Android and from Apple IoS to Linux. According to estimates by the security experts who discovered the Bluetooth problem and dubbed it BlueBorne, several billion devices are likely to be affected. This figure does not include a number of IoT systems not specified individually by the experts, who see the problem as being caused by the highly complex Bluetooth protocol. As it has an extremely large specification of no less than 2,822 pages, programming is very laborious and susceptible to errors.
Affected users do not even notice the attacks, which last just a few seconds. However, as Bluetooth can only be used for short distances, attackers have to be in close proximity to their victims. In this context it does not matter whether the device under attack has already established a Bluetooth connection to another device. Equally, there does not need to be any explicit pairing of devices for an attack to occur.
The effects differ depending on operating system. The consequences are especially drastic for Linux and its relative Android. In this case, it would even be possible to activate malware and completely hijack systems as a result. This form of attack would also be possible in older versions of iOS devices. Although this particular attack mode did not succeed on Windows, the researchers nevertheless managed to reroute the entire network traffic and as a result carry out what is known as a man-in-the-middle attack that enables data manipulations. Most manufacturers have reacted to the problem and provided updates.
In cases of doubt, users should switch Bluetooth off as a precaution, advises the German Federal Office for Information Security (BSI). In any case it is advisable to only activate Bluetooth and WLAN when you are using them, says the BSI.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.