We got to see something cool and terrible (yes, it's possible to be both at the same time) earlier this week when Armis Security published the details of a new Bluetooth exploit. Called "Blueborne," the exploit allows a person with the right tools and who is within Bluetooth range of your smart thing — laptop, phone, car, or anything else that runs Android (as well as most every other operating systems, including iOS and Windows) — to gain control over the device without any action from the user. That's because the exploit cleverly attacks portions of the software needed to establish a connection to hijack the Bluetooth stack itself, which is pretty much done in a universal way because of how complicated Bluetooth is and how the stack itself handles so many things the OS could be doing instead. Verizon is offering the Pixel 4a for just $10/mo on new Unlimited lines Interested yet? If not, you should be.

Before we go any further, here is the good(ish) news: Apple, Google, and Microsoft have all patched the exploit. On the Android side, we saw the fix in this month's security patch released the same day the vulnerability was made public. This surely isn't a coincidence and kudos to Armis for working with the companies who write the software we all use every day to get this fixed. Of course, almost every Android-powered device doesn't yet have this patch and won't for a while. I'll resist the temptation to make this all about Android's update woes and the million-and-one different reasons that it happens. I'll just say that if you value being protected against most vulnerabilities like this you currently have three options: an Android-powered device from BlackBerry, an Android-powered device direct from Google, or an iPhone. You decide what to do here. Instead let's talk about what Blueborne is and how it does it, as well as what you can do about it. What is Blueborne? It's a series of simple attacks on various parts of the Bluetooth stack running on almost every smart device in the world. Including 2 billion Android phones. It's not a MiTM (Man in The Middle) attack, where someone intercepts Bluetooth traffic between you and a thing you're connected to. Instead, it's posed as a device that wants to discover and connect over Bluetooth but the exploit happens before the connection attempt gets to a stage where a user needs to act. For people into this sort of thing, the short version of how the exploit works on Android is that the attacker sends out a discovery query, then manipulates both the timestamp and size of a second discovery query for a separate service to the same machine. This causes a buffer underflow and bypasses the standard Bluetooth Security Management Protocols to hit the failsafe "just works" connection. While it sounds crazy that this works, it's better than the default BlueZ stack version of the exploit which is a straight-up buffer overflow that bypasses every connection check. I'm not familiar enough with Windows or iOS to parse the exploit code for those operating systems, but if you are hit the link in the opening paragraph and check it out. Then hit the comments and help us all understand better.

If you're not into looking through code (it's a special sort of illness, I do admit) the short short version is that a person with a computer that has a Bluetooth connection can type a few lines in a terminal and connect to your phone. How easy it is for him or her to connect is ridiculous (we'll talk about why that is later) and anyone with even just a passing knowledge of this sort of thing can do it. That's why it was important that Armis hold the release until Apple, Google, and Microsoft were able to act. The scary part is what happens after the connection is made. There is no secret magic app that roots your phone and hacks all your data. It's too easy to prevent any process from getting that level of control, and permissions prevent it from happening unless a process does have that level of access. Instead, an attacker can act as the logged in user. That's you. With 8 billion devices that need to connect, Bluetooth is a big target for people who want to steal data. In the example video above we see the attacker establishing a Bluetooth mouse connection to a sleeping Pixel, then doing the same things you could do if you were holding it in your hands. Apps can be started, pictures, video, and audio can be recorded, and your files can be downloaded directly to the attacker's computer. there is nothing on your phone to say "Stop, this is not cool" because it is cool — it's acting as you. And none of your data is safe. If the attacker is unable to access a sandboxed directory, he or she can simply open the associated app and pull images of what's on the screen while it is running. The frustrating part of all this is why it works. I'm not talking about how the stack is exploited and someone crashes their way in, I mean why in the broader sense. Why something this preventable was able to slip past the experts who oversee security and are really good at writing this sort of thing out of the operating system. And the answer is that it happened because Bluetooth is a giant, complicated mess. It's not the Bluetooth SIG's (Special Interest Group) fault, even if it is their responsibility to ultimately address this. Bluetooth started out in 1998 as a simple short-range wireless connection. It's now on more than 8 billion devices worldwide and has grown and grown in features and complexity. And it has to be backward compatible, so portions of it have to be left as-is when it comes to things like advanced connection security standards. If an encrypted paired-key connection can't be established, it has to be able to try something less secure and keep trying until it connects, runs out of ways to try, or the security management features tell it to stop. Exploit the SMP layer and you're in. And as new features get added to newer versions, it only gets worse.

There are exploits in proprietary software, too. We just don't know about them until it's too late.