When Armis researchers demonstrated BlueBorne, an attack that takes advantage of vulnerabilities in the Bluetooth protocol, it was downright frightening how easily an attacker could take remote control over the device.\u00a0View all files saved on the device? Sure\u2014and it\u2019s a snap to encrypt those files as part of a ransomware attack.\u00a0Turn on the camera? Not a problem\u2014and the device can eavesdrop on meetings and monitor conversations without anyone else knowing. Install malware?\u00a0Done with a click and no one the wiser.But what scared me even more was the fact that BlueBorne was just the tip of the iceberg when it comes to Bluetooth-based attacks.Researchers at internet of things security company Armis found eight vulnerabilities in the Bluetooth implementations for Android, Microsoft Windows, Linux, and iOS, which means nearly all Bluetooth-capable devices are affected. The list of vulnerable devices goes beyond just smartphones, tablets, and laptops: think about TVs, watches, entertainment gear, childrens\u2019 toys, and even automative and home automation systems.Anything that has Bluetooth. Armis researchers estimated that over 5.3 billion devices are at risk.\u201cThe BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active,\u201d Armis researchers wrote.Dangers of always on, always listeningBlueBorne takes advantage of the fact that Bluetooth-enabled devices are always listening for other devices they can connect to. While devices typically have to be manually paired to form that initial wireless connection, once paired those devices reconnect automatically whenever they are near each other. BlueBorne exploits the vulnerabilities in a way that it can establish the Bluetooth connection with devices nearby without having to go through the pairing process. Unless someone happens to be looking at the list of Bluetooth devices, it\u2019s unlikely these connections will ever be discovered.\u201cBlueBorne is different from past Bluetooth-based exploits, which relied on weaknesses in the protocol that no longer exist, or authentication-based issues related to idiotic PIN codes,\u201d said Nadir Izrael, CTO and co-founder of Armis. \u201cIt [BlueBorne] requires nothing from the user.\u201dI have heard this before: Malware that executes code and hops from device to device is a worm. BlueBorne lays the groundwork for an IoT worm that spreads over Bluetooth.There are many ways the vulnerabilities can be weaponized. Imagine going to a sporting event and knowing that every Bluetooth-enabled device in the stadium is vulnerable to an attack launched from a single device. An attacker can walk into a building carrying a device pre-loaded with malware and infect a device in the lobby just by standing near it. Everyone walking in and out of that lobby carrying a vulnerable device can be infected, and as those devices move around the building, the potential grows for more infections, until the malware is firmly lodged in the corporate network. Because of the fact that all the malicious activity happened over Bluetooth, no one would even be aware of the malware spread until they start investigating what went wrong.\u201cThe automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, make these vulnerabilities all the more serious and pervasive,\u201d they said. \u201cOnce a device is infected with malware, it can then easily broadcast the malware to other Bluetooth-enable devices in its vicinity, either inside an office or in more public locations.\u201dAnother possible scenario is to launch a man-in-the-middle attack by turning the device into a Bluetooth Pineapple, capable of sniffing traffic sent between devices or spoofing a legitimate device to hijack the connection and redirect traffic. Attackers can look at nearby Bluetooth devices and specifically target devices by using commonly available tools to identify the MAC addresses.\u201cBy probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective,\u201d researchers wrote.Bluetooth typically has high-level privileges on devices because it is intertwined with many system-level processes. Compromising Bluetooth inevitably means that malware executes with those same elevated privileges, in some cases, even as root.Bluetooth\u2019s Stagefright momentBlueBorne may be to Bluetooth what Stagefright was to Android. When Zimperium researchers uncovered the Stagefright vulnerability in Android, where a malformed video sent via text message could be used to execute malicious code on the device, it spurred other researchers to look more carefully at the mediaserver component (and the libstagefright library) that processes video and other multimedia files for other\u2014related\u2014vulnerabilities. For more than a year, Google released fixes for mediaserver every single month as part of its monthly security update. Most of the vulnerabilities were tangential to the original Stagefright flaw, but were located in similar sections of the code and were found because of the increased scrutiny.That\u2019s what we need for Bluetooth. Ben Seri, head of the research team at Armis Labs, said that it hadn\u2019t been that difficult to find the set of vulnerabilities they\u2019d grouped as BlueBorne, noting that hunting for zero-day vulnerabilities is not part of their typical job activities. Anyone \u201coriented towards looking for remote code execution vulnerabilities\u201d would have been able to find the flaws, Seri said.Seri and Izrael were worried about the number of other vulnerabilities lurking in Bluetooth that no one knows about because no one has really paid a lot of attention to the inner workings of the protocol.\u201cArmis believes many more vulnerabilities await discovery in the various platforms using Bluetooth,\u201d the researchers wrote. \u201cThese vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research.\u201dThere are also other, custom, implementations of Bluetooth beyond what the major players are doing. \u201cIf we found them in major stacks, we expect to find them in custom implementations,\u201d Seri said.Most devices can\u2019t be patchedGoogle and Microsoft released updates fixing the vulnerabilities in their September security updates for Android and Windows, and major Linux distributions are coordinating their own fixes. Microsoft said Windows Phones are not impacted, and Apple had changed how it implemented Bluetooth in iOS 10, providentially closing the vulnerability by the time Armis reported the issue. Only pre-iOS 10 versions remain at risk, which Armis estimates at about 130 million devices.The eight vulnerabilities are as follows:Linux kernel RCE vulnerability \u2013 CVE-2017-1000251Linux Bluetooth stack (BlueZ) information leak vulnerability \u2013 CVE-2017-1000250Android information leak vulnerability \u2013 CVE-2017-0785Android RCE vulnerabilities CVE-2017-0781 & CVE-2017-0782The Bluetooth Pineapple in Android \u2013 Logical Flaw CVE-2017-0783The Bluetooth Pineapple in Windows \u2013 Logical Flaw CVE-2017-8628Apple Low Energy Audio Protocol RCE vulnerability \u2013 CVE PendingHowever, that ignores the fact that a siginificant number of those devices will never receive patches or be updated. For example, Armis estimates that only 45 percent of Android devices\u2014approximately 960 million\u2014can be updated, which leaves 1.1 billion Android devices currently in use worldwide vulnerable. There are also plenty of devices that run some flavor of Linux, but don\u2019t have a way to be patched\u2014or the update process is too cumbersome for average users to even attempt.\u00a0Armis recommends keeping Bluetooth disabled on devices until absolutely necessary, and then turning it off when done. Once the device has been updated with the patch closing the flaw, it would be safe to turn Bluetooth back on and leave it on, but it seems to me that it\u2019s good security practice to keep it off when not in use. Why increase the attack surface when you don\u2019t need to?I can\u2019t decide which prospect worries me more: a BlueBorne botnet \u00e0 la Mirai or a BlueBorne worm. Either way, before we make even more things that are Bluetooth-capable, can we make it harder for devices to connect to each other without actual user permission?