A new malware attack, dubbed BlueBorne, is spreading in the wild, thanks to a combination of eight different vulnerabilities affecting Android, iOS, IoT devices, Windows, and Linux. The security research firm Armis writes:

BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.

What sets BlueBorne apart from other malware is that the infected device doesn’t have to pair with your hardware to infect it. Pairing is fundamental to the use of Bluetooth. Some devices have a code you have to enter to pair them; some pair automatically if in range and set to the appropriate mode. But you can’t typically exchange data with a Bluetooth device if you aren’t paired with it — at least, not in theory. The problem is, even after Bluetooth devices have paired to one product, they continue sending out signals to locate other devices in the area.

Armis continues:

The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active. Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.

The problem is so widespread because most Bluetooth implementations follow one of two approaches. Either they implement the protocol in an identical manner, which means a vulnerability on Windows can also affect Android, or they take too much leeway in certain areas of the protocol, exposing their specific products to security flaws. Stack up identical implementations and room for security flaws in the same protocol and you get a situation where a combination of vulnerabilities can be used to wreck everyone’s BT implementation for one reason or another.

Currently, all Windows devices running Vista or later, all Linux devices running BlueZ or Tizen 3.3-rc1, all Android devices, and all versions of iOS running iOS 9.x or earlier are affected. iOS 10 and later devices from Apple are not affected. Google has pushed out a solution, but only for Nougat and Marshmallow. Earlier versions of Android will reportedly not be patched.

How it Works

BlueBorne works by locating active Bluetooth devices (even if not in ‘Discover’ mode), and obtains the MAC address of the target device. It then probes it to determine what OS is running and adjusts its attack accordingly. It can create a man-in-the-middle attack or even take control of the device to further self-distribute to other Bluetooth hardware. A whitepaper with additional details is available here.

Watch for patches for these issues if you use Bluetooth. And Windows users (or at least, BT-using Windows users), this is a good reason to patch your OS, general comments on update-skipping notwithstanding.