Billions of devices imperiled by new clickless Bluetooth attack
BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on. The exploit process is generally very fast, requiring no more than 10 seconds to complete, and it works even when the targeted device is already connected to another Bluetooth-enabled device.
Microsoft patched the vulnerabilities in July during the company's regularly scheduled Patch Tuesday. Company officials, however, didn't disclose the patch or the underlying vulnerabilities at the time. A Microsoft representative said Windows Phone was never vulnerable. Google, meanwhile, provided device manufacturers with a patch last month. It plans to make the patch available starting today for users of the Pixel XL and other Google-branded phones, but if past security bulletins are any guide, it may take weeks before over-the-air fixes are available to all users. Izrael said he expects Linux maintainers to release a fix soon. Apple's iOS prior to version 10 was also vulnerable.