Security Researchers Discover Bluetooth Vulnerability that Could Be Used to Track Phones

Security Researchers Discover Bluetooth Vulnerability that Could Be Used to Track Phones

Security company Armis has discovered a collection of eight exploits, collectively called BlueBorne, that can allow an attacker to access your phone without touching it.

The attack relies on your phone’s Bluetooth connection. Armis claims the exploit can be used to target computers and phones as well as IoT devices – like your smart TV or smart fridge.

The exploits are purportedly “fully operational” and can be successfully exploited in the wild. Armis released research proving the viability of a BlueBorne attack. They showed how the exploit could be used to conduct a wide range of attacks, including remote code execution or man-in-the-middle attacks.

In layman’s terms, that means Blueborne could track SMS messages, monitor Android activity, and track other personal data sent and received over a smartphone.

Armis released footage of the attack in action here:

In the video above, you can see how the exploit allows an attacker to identify a device, connect to that device using Bluetooth, and then begin to control the screen and apps of the device.

Remote Code Executions Allow Anyone to Control and Track Your Phone Via Bluetooth

The SMS tracking exploit begins by finding a device to hack. Bluetooth is activated, and the device scans for any nearby devices. The device is forced to give up information about itself, then ultimately release keys and passwords in an attack.

The next step is for the attacker to execute code to gain full control over the device. This part of the exploit specifically resides in the Bluetooth Network Encapsulation Protocol, or BNEP, service. BNEP allows users to share an internet connection over Bluetooth (tethering). BlueBorne relies on this feature to gain remote control of a device.

Attackers Can Track SMS Messages and Other Phone Activities

Once remote code has been executed on a device, there’s no shortage of tracking-related tasks an attacker can do. The attacker can stream data from the device in a man-in-the-middle attack, which means they create a malicious network interface on the victim’s device, then transmit all data through the malicious network interface without any user interaction. This means all user data can be stolen.

Windows and iOS Users Are Already Protected, and an Android Patch is Rolling Out

There’s good news about the Blueborne exploit: Windows and iOS users are already protected from the exploit. Android users, meanwhile, are receiving the patch today.

Nevertheless, older devices running Android and Linux could be vulnerable. If you have an older device that uses Bluetooth, then you may want to avoid using your Bluetooth signal while you wait for a device-specific patch to come out.

In the meantime, it’s never a good idea to leave your Bluetooth signal activated in public whether you’re using an iPhone or Android device.

To track SMS messages and other phone activities without relying on an exploit, download SpyStealth today. No hacking knowledge required!