A Security company called Armis has found a collection of eight exploits, called BlueBorne, that can allow a hacker access to your phone without touching it. The hacker can have access to computers and phones, as well as IoT devices.

“Armis believes much more weakness await all time discovery on the various platforms using Bluetooth. These weakness are fully operational and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle hacking.

“BlueBorne affects pretty much every device we use. Turns that Bluetooth into a rotten black one. Don’t be surprised if you have to go see your security dentist on this one,” said (Ralph Echemendia, CEO of Seguru.)


The complex vector begins by finding a device to hack. This includes tasking the device to give up information about itself and then, ultimately, release keys and passwords “in an attack that very much resembles heartbleed,” the exploit that forced many web servers to display passwords and other keys remotely.

The next step is a set of code executions that allows for full control of the device. “This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a weakness in the BNEP service, a hacker can trigger a critical memory corruption, which is easy to exploit and enables him to run code on the device, effectively granting him total and absolute control over a device.

Finally, when the hacker has access they are able to begin streaming data from the device in a “man-in-the-middle” hacking. “The weakness resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious (malware) network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This attack does not require any user interaction, authentication or pairing, making it practically invisible.”

Windows and iOS phones are protected and Google users are receiving a patch today. Other devices running older versions of Android and Linux could be easily attacked.

How do you stay safe? Keep all of your devices updated regularly and be careful of older IoT devices. In most cases, the problems associated with BlueBorne vectors should be patched by major players in the electronics space but less popular devices could still be prone to attack.

“New solutions are needed to scrap the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of weakness are not exploited.