Juha Saarinen: Blueborne, the massive security Bluetooth-ache

Bluetooth seems simple on the surface, but it's really obscure and convoluted under the hood. Photo / 123RF

Another week, another giant IT security issue: billions of devices out there have wireless Bluetooth networking, and heaps of them are totally insecure.

That means bad people can have a go at new and old smartphones, wearables, TVs, audio devices and cars with Bluetooth enabled and in some cases take full control over them.

Bluetooth seems simple on the surface, but it's really obscure and convoluted under the hood.

The technical specification for the wireless personal area networking feature takes more than 2800 pages and very few people understand it or, for that matter, why Bluetooth was named after Danish viking king Harald I who might have had rotten teeth. Nevertheless, researchers at security vendor Armis Labs decided to analyse Bluetooth, and they found horrifying holes in the protocol.

Attackers can do creepy things like remotely take photos and videos with your smartphone camera, go through information stored on devices, and plant malware on them.

What's worse, you're unlikely to spot that an attacker's controlling your device.

There's no need to panic yet. The vulnerabilities found by the researchers are not exploited as far as they know. Nobody's written a self-propagating worm that will jump from device to device over the air without users having a clue for instance.

Bluetooth reaches only 100m at the most so attackers would have to be close to their victims.

Also, Apple, Microsoft and the Linux open-source kernel maintainers have issued patches for the security flaws the researchers found, so you should update your device.

Nevertheless, the Blueborne cat's out of the bag and it's almost certain that someone will try to use it for nefarious purposes because the attacks are hard to spot and let hackers into your most personal devices.

Smartphones are low-hanging fruit for attackers. Android devices especially end up being abandoned by vendors and don't get security updates even though they're not very old.

I tried Armis Labs Blueborne scanner from the Google Play store, and it marked a  Samsung Galaxy 8+ and Huawei P10 as vulnerable.

Try the scanner - it'll look for other Bluetooth devices near the one you're checking as well - and see if your device vendor has security updates available. They really should provide that, so complain loudly until they do.

If no security updates are available and you don't want to buy a new device that doesn't have the vulnerability, the only option is to switch off Bluetooth when you don't use it.

That's a pain but it has the bonus of preventing tracking of your mobile device as well. Bluetooth and WiFi radios send out signals to check for connections, and these can be intercepted and used to identify people. Shopping malls can use that to provide "targeted user experiences" for instance which, in my opinion, is a euphemism for "obnoxious privacy invasions".

Blueborne is a reminder that security is an afterthought for vendors and that in many cases, they have no clue about the technology they add to devices. Sadly, it won't be the last example of that negligence either.