Researchers at IoT security company Armis Labs have identified a vulnerability in Bluetooth that, they say, enables malware to be spread between almost any device with Bluetooth turned on; the devices do not need to be paired with each other.

Armis Labs – which emerged from stealth mode in June with $US17 million in venture funding – says the vulnerability affects more than 5 billion devices running on Android, Linux, Windows and pre-version 10 of iOS, regardless of the Bluetooth version in use.

“This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally,” the researchers say.

Dubbed BlueBorne, the vulnerability enables an infection to spread rapidly across huge numbers of devices, according to Armis. A single compromised device, such as a mobile phone, can infect others within Bluetooth range so long as Bluetooth is turned on and these in turn can spread the infection to others as their owners go about their daily activities.

The researchers say BlueBorne poses a tremendous threat to any organisation or individual. “Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections.”

They say new solutions are needed to address attack vectors that make air gapping irrelevant. “There will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited.”

Armis says it reached out in April to Google, Microsoft, Apple, Samsung and the Linux Foundation “to ensure a safe, secure, and coordinated response to the vulnerabilities identified, and that Google and Microsoft released updates and participated in the co-ordinated public disclosure on 12 September.”

The company says it contacted Samsung on three separate occasions in April, May, and June, but “no response was received back from any outreach.”

Apple had no vulnerabilities in current software and Armis says a previously disclosed iOS vulnerability had been patched by Apple, but it adds: “This vulnerability still poses great risk to any iOS device prior to version 10, as it is does not require any interaction from the users, or configuration of any sort on the targeted device.”

Not very complex

The researchers claim the vulnerabilities and the related exploitation techniques are not very complex and demonstrate how protocols that are difficult to implement are susceptible to bugs.

“Implementers of such a complex standard as Bluetooth have to heavily rely on guidelines presented in the specification, which is severely outdated in certain parts, and completely lacking in others,” Armis says. “A researcher or attacker armed with domain-specific knowledge of obscure features implemented in Bluetooth can tap into a relatively unexamined attack surface.”

Further, it points out that software developers are making it harder to gain full control of devices through the main processes of operating systems, but peripheral components such as Bluetooth present another avenue of access that tends to be ignored

“Attackers can target these sections of the device, and take control through them, as they are an integral part of the operating system – either as part of the kernel itself, or as highly privileged processes on top of it.”

The company says the security community needs to do more to ensure no doors are left open, and address vulnerabilities such as BlueBorne that grant attackers a back route to full control.