Equifax reported the cost days after its former CEO testified before the Senate saying he doesn’t know who attacked them.

 

Equifax reported costs of $87.5 million due to its “cybersecurity incident.” Despite massive fallout from one of the largest data breaches in history, Equifax still reported a 4% increase in revenue for the third quarter of 2017, compared to Q3 2016.

The company did report profit losses of 27%, however, which may be due to the money it has had to dedicate to what it described as production costs, professional fees, and consumer support.

Dedicating $87.5 million to addressing the costs of such a massive breach may not have produced any tangible security results for Equifax, or at the very least helped it figure out who attacked them.

Mr. Smith goes to Washington

Former Equifax CEO Richard Smith testified before the Senate on Wednesday, revealing that the company still had no idea who was behind the attack. He did, however, note that they knew precisely why the attack happened: An unpatched Apache vulnerability.

The breach in question was reported and assigned a CVE number in March 2017. It was even given a rating of 10—the most critical score on the scale. Despite that, the Apache server at Equifax running the vulnerable software remained unpatched as of May, leading to the theft of over 145 million customer profiles.

This isn’t a unique incident—throw a dart at a list of major security incidents in the past few years and you’re likely to hit one that was caused by unpatched vulnerabilities. From WannaCry to all the vulnerabilities leaked by the Shadowbrokers (all of which have been patched by Microsoft), hackers are largely targeting systems with known, exploitable vulnerabilities.

Don’t get stuck with the bill

The average data breach is nowhere as costly as Equifax’s, but at $3.62 million it could still be enough to cripple a new or growing business. Not everyone can bounce back as easily as a behemoth like Equifax—even big companies like Yahoo have been crippled by the attacks they’ve faced.

 

There’s a key lesson for business leaders to take away from the Equifax breach and the muddled, unclear responses the Senate got out of Smith and former Yahoo CEO Marissa Mayer: Don’t get caught with your cybersecurity pants down.

Had Equifax simply taken the time to patch a vulnerability, Mayer would have been alone at that Senate hearing.

It didn’t, though, and that should be a wakeup call to everyone.

The top three takeaways for readers:

  1. Equifax’s third quarter earnings revealed that the company lost $87.5 million dealing with its recent data breach, which may have led to a profit loss of 27% over Q3 2016.
  2. Despite huge recovery spending, former Equifax CEO Richard Smith said the company still had no idea where the attack came from. They do know what happened, though: It failed to apply an Apache patch that could have stopped it.
  3. The average data breach costs far less than Equifax’s, but the average breach still has a similar theme: Unpatched vulnerabilities. Keep your systems up to date to avoid a similar fate.

Hackers are getting an earlier start when it comes to bug hunting careers, according to a new report. Bugcrowd has released its second annual report, Inside the Mind of a Hacker 2.0, which details the demographics and motivations of the bug hunting community.

The report found that bug bounty programs are up more than 77 percent from 2016, and that this increase provides opportunities for professions to actually earn a living from bug hunting. In fact, 27 percent of bug hunters aim to do this full-time.

According to the report, 71 percent of bug hunters are 18-29 years old, compared to 11 percent last year. This indicates that there is more of an interest in bug hunting with young professionals. Eighty two percent have completed some form of higher education and 16 percent have a master’s degree or higher.

The report also notes that more than half of the hunters have full time jobs and 19 percent a full-time bug hunter, an increase of 26 percent from last year. In addition, it shows that 62 percent of bug hunters invest what they earn back into tools and training that will help them be more efficient bug hunters. Other findings include 26 percent are driven by professional development and 44 percent ranked the challenge as their top motivator, wanting to put themselves ahead of their peers.

“The pace of innovation has exponentially grown the attack surfaces beyond the availability of capable cybersecurity professionals which has left organizations open to destructive cyberattacks,” said Ashish Gupta, CEO of Bugcrowd. “The best defense is a good offense. The Crowd fights fire with fire. Committed to helping global organizations identify vulnerabilities, this diverse community of talented security researchers identifies vulnerabilities before adversaries can, expanding security coverage for organizations and ultimately ensuring the safety of the Internet.”

This report was based on trends of more than 65,000 researchers in the Bugcrowd community. The company says it describes five different types of security researchers: knowledge seekers, hobbyists, full-timers, virtuosos and protectors.

Hackers are compromising websites to mine cryptocoins via user’s CPU

For the last couple of weeks, the trend of inserting code in websites that generate cryptocurrency has been growing like never before. What might worry some is that it uses visitor’s computers to start and finish the process.

Recently, Trend Micro, a cybersecurity firm discovered that hackers are compromising charity, school, and file sharing websites with a particular code that allows the site to use visitor’s CPU in order to generate cryptocurrency

By doing so, the code converts the visitor’s computer into a miner. This means the greater the number of computers the quicker will be the process of generating digital currency and in return, the greater the amount of money. In the end, the victim will suffer from expensive electricity bill.

Hackers are compromising websites to mine cryptocoins via user CPU
Gif credit: Bitminer

According to Rik Ferguson, vice-president of security research at Trend Micro “This is absolutely a numbers game. There’s a huge attraction of being able to use other people’s devices in a massively distributed fashion because you then effectively take advantage of a huge amount of computing resources.”

The security firm discovered that hundreds of famous websites are using the code. Some are using “Coin Hive” code, some are using JSE Coin script while some have no idea how the code got onto their websites.

To get rid of it, some site owners have simply removed the code while some have updated their security policies and issued patches. There are those who are still investigating the issue emphasizing on how their site was compromised and how the code ended up on it without triggering any warning.

BBC reported that developers of Coin Hive are also taking action against those misusing their code for malicious purposes. “We had a few early users that implemented the script on sites they previously hacked, without the site owner’s knowledge. We have banned several of these accounts and will continue to do so when we learn about such cases,” Coin Hive told BBC.

In a tweet, FiveM, a modification framework for GTA V said that they had issued a security update just to stop users from adding miners to their code.

CloudFlare, a content delivery network and Internet security service also booted off a torrent website for secretly mining cryptocurrency miner. The company said “mining code without notifying users. … We consider this to be malware.”

Last month, The Pirate Bay website was caught “testing” cryptocurrency miner while two domains owned by CBS Corporation’s premium cable network Showtime’s sites were also found to be mining cryptocoins without informing their visitors.

In another report, Trend Mirco said that hackers are also using smart home devices to generate cryptocurrency. “Trend Micro data shows that more and more home devices are being compromised—we blocked over 90% more home network attacks in September compared to July, and most of the attacks are attempting to mine cryptocurrency,” said Trend Micro.

Although it is a rare practice; if adopted on a long-term basis, it might replace ads for good as advertisements can be malicious and annoying at times. However, the fact that it hijacks computers for crypto mining deeply concerns users, therefore, website owners should allow users to choose whether they want the site to use their CPU for mining or not.

The 2013 Yahoo breach affected all 3 billion of its users

New information

 

“At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected,” the announcement says.

“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”

The company reiterated that the stolen user account information did not include passwords in clear text, payment card data, or bank account information. “We are now notifying the additional user accounts” they noted.

They also noted that the additional accounts they are notifying now won’t be receiving notifications regarding the cookie forging activity revealed in March 2017. “Some of the additional user accounts we are notifying now about the August 2013 data theft may have been notified previously about the cookie forging activity if Yahoo believed that a forged cookie associated with their account was used or taken,” the company shared.

As a reminder: users’ names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers were compromised in the 2013 hack.

Most of the passwords were hashed with MD5, as Yahoo had only began upgrading password protection to bcrypt in the summer of 2013, so to be on the safe side, Yahoo forced a password reset on affected users and invalidated the unencrypted security questions and answers.

Industry comments

 

“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented,” says Bitglass CEO Rich Campagna.

“It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm,” he notes.

AttackIQ CRO Carl Wright says it’s time to try something new.

“Seriously, find protection failures before the adversary does. Consumers worldwide and shareholders deserve better,” he says.

“It is one thing to deploy security controls, it is completely another thing to know that they are working correctly. This is why we believe the best defense is a good offensive – continuously testing your security stack the same way the adversary does.”

RedBoot: A new ransomware that can encrypt and repartition your hard drive-permanently

A newly discovered ransomware called RedBoot is one of the most dangerous yet. Not only does it encrypt files, it also alters the partition table and the master boot record (MBR) to cause what seems to be permanent damage.

Early research into RedBoot hasn’t turned up a command and control server, nor are ransomers asking for Bitcoin payment. Those facts, along with what looks to be irreparable encryption, is leading some to believe RedBoot is just designed to do damage.

It’s possible that RedBoot is just poorly coded, which is where Lawrence Abrams of Bleeping Computer is leaning.

If you’re worried about catching RedBoot you don’t need to be—yet. RedBoot’s developer contacted Abrams and told him that the current version is a development build. The final version, the developer said, will be out in October.

That’s when you’ll need to start worrying.

How RedBoot destroys computers

 

RedBoot’s current version comes as a compiled AutoIT executable that extracts into five components: an assembler, a boot.asm that the assembler turns into boot.bin, an overwrite executable that turns boot.bin into the new MBR, an executable that encrypts files, and another executable that prevents programs like Task Manager and Process Hacker from running.

After RedBoot does its work it restarts the computer and the new MBR simply boots to a red screen containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

ransom-screen.png

 

As part of its execution sequence RedBoot also changes the partition table, and Abrams hasn’t discovered a way to reverse it.

Poorly coded or not, RedBoot is a serious threat.

Preemptive protection

 

There’s no way of knowing how RedBoot will propagate itself come October, and that’s troubling considering all the damage it could do.

Businesses and individuals concerned about permanent loss of files should ensure workstations are backed up to some form of network or cloud storage, antivirus software definitions are up to date, and users are trained to avoid phishing and other scams.

It’s not often that a serious cyber threat is identified while still in development, nor is it common that the developer lets the world know when it will be released. With that information available it’s important to assess your level of readiness now.

RedBoot’s October release could be inconsequential, or it could be an epidemic that paralyzes businesses and permanently destroys data. Take this opportunity to ensure your place in the percentage of companies that aren’t affected by this highly lethal new form of malware.

Chrome plugin exploited Tinder privacy bug to track your friends’ location

Remember Tinder Social – the group meeting feature that got the popular dating app in trouble for outing its users to their Facebook friends? It turns out that, in addition to this, Social had another glaring privacy issue that made it possible for Tinder users to track their Facebook friends – and see their exact location.

To demonstrate how intrusive the group meeting feature can be, researchers from cybersecurity firm Detectify developed a creepy Chrome plugin that enabled them to use their Tinder account to triangulate the precise location of their Facebook friends.

As the security experts explain in a blog post, they exploited a well-known privacy vulnerability that allows to export your Facebook friends’ Tinder IDs. The next step was to mark this data onto one big map and automate it to continually update users’ location with data from the app.

Here is how this looked:

While Tinder has no official API, Detectify resorted to popular sniffing tool Burp Suite in order to detect and hijack the necessary traffic data. This made it possible for the experts to retrieve a list of all of their Facebook friends using Social and also see exactly how far they were from them.

Detectify also worked out how to abuse Tinder to send latitude and longitude coordinates to arbitrarily change their location.

With all this information at hand, the researchers were able to develop an algorithm that automatically triangulated the location of their friends.

In all fairness, Detectify is hardly the first company to exploit this setup.

In fact, Tinder previously addressed this issue and argued it is more of a feature, than a bug. The company later made Social an opt-in feature to further protect the privacy of its users, but it clarified that anybody who activates Social will be vulnerable to this loophole. Since then, it has killed off Social altogether.

Still though, numerous opportunists have already used this workaround to cash in by secretly outing Tinder users.

As Detectify puts it, user location needs to be publicly available for Tinder to work: “They could have made our research harder, but they could not have stopped it.” So ultimately it is up to you to decide on which side of the trade-off you want to be: Is a date more important to you than your privacy?

 

Large DDoS attacks over 50 Gbps have quadrupled between 2015 and 2017

Organizations are experiencing an increase in the magnitude of DDoS attacks, with the average size of attacks over 50 Gbps quadrupling in just two years, according to A10 Networks.

Growth of DDoS attacks

 

Large DDoS attacks

The study also found the gargantuan 1 Tbps attacks that started last year with the Mirai botnet have begun to leave their mark, with 42% of organizations reporting an average size of DDoS attacks greater than 50 Gbps, a significant increase from 2015, when only 10% of attacks were above that size.

Multi-vector DDoS attacks continue to increase and assault networks and applications at a rapid pace, according to the report, which found the percentage of organizations that experienced between 6 to 25 attacks per year has increased from 14% in 2015 to 57% in 2017.

Network layer still the primary target

Even as DDoS attacks are increasingly impacting other areas of the stack such as the application layer, attacks at the network layer are still the most prevalent, with 29% of respondents encountering attacks at the network level.

Downtime is down

However, DDoS solutions are rising to the challenge, with improved attack mitigation and remediation solutions shrinking the amount of downtime. As DDoS attacks take place, the downtime for organizations has shifted from increments of days to hours. The survey found that in 2017, only 15% of attacks resulted in greater than 25 hours of downtime, compared to 29% in 2015.

Multi-vector DDoS attack breakdown

Large DDoS attacks

DDoS prevention budgets increasing

 

A significant proportion of organizations are looking to increase their budget allocations for preventative DDoS solutions. 74% of respondents say their DDoS budgets are increasing, compared to 54% two years ago. The amount of overall budgets has also risen, from 22% to 29%.

Breadth of IT professionals expanding to address DDoS prevention

 

While IT security teams still top the list in terms of primary responsibility for preventing DDoS attacks, other roles have increased in importance since 2015. A more experienced and wider array of IT professionals are becoming involved in DDoS prevention efforts, such as network administrators, security architects and network architects have increased in importance, indicating an increase in skills and experience across disciplines.

iOS 11 has introduced a Snapchat loophole that is allowing people to secretly record other users’ snaps

Apple’s new iOS 11 update has introduced an iPhone feature that has unsettling ramifications for Snapchat users.

The operating system’s new screen record function is allowing some Snapchat users to record other people’s snaps without alerting them.

The app allows users to share photos and videos, called snaps, which disappear after a set amount of seconds, and screen-grabbing other people’s snaps is generally considered poor etiquette.

Until now, the only way to capture some else’s snap was via a screenshot, after which users received a notification alerting them that their photos or videos had been screen-grabbed.

This week iOS 11 introduced a screen record button in the iPhone command centre that lets people make video recordings of what they are doing and seeing on their screen.

Some Snapchat users have reported that the app is sending a screenshot notification when screen record is used while viewing someone else’s snaps.

Social experiment screenshot recordings for iOS11 notifies anyone on snapchat you took a screenshot of their snap. I have done that to 5 people

The Telegraph understands that Snapchat is attempting to fix the issue in its latest app update (version 10.17.5), which was released today. However the fully-updated app may not be able to detect when screen record is on if the person using it hasn’t also installed the latest version of Snapchat.

Tests conducted by the Telegraph showed that users were not getting alerts when snaps were captured using screen record until they installed the 10.17.5 update.

Even with the latest update, our tests found that screen recording didn’t always trigger a screenshot notification, and when it did these sometimes came through after a delay.

Snapchat screen record iOS 11

The issue will prove unsettling for regular Snapchat users, who are used posting transient photos and video knowing they’ll be alerted if anyone records them.

Snapchat’s ephemeral nature has been key in driving its rapid growth since it was founded in 2011 by a trio of Sanford University undergraduates.

Last month Snapchat announced it had reached 173 million daily users in the second quarter of this year and over 10 million people use the app on a daily basis in the UK.

The app is particularly popular with younger people with 45 per cent of Snapchat users aged between 18 and 24.

 

Plenty of blame to go around for Equifax breach

If you’re not reading this on another planet or in a bunker somewhere, then you’re likely aware of the recent breach of data from credit agency Equifax. Reports indicate that unknown attackers took advantage of a vulnerability in an Equifax web application to purloin personal identifiable information from 143 million people, including Social Security numbers.

And shortly thereafter, all the industry pundits weighed in, pointing fingers in all different directions. The problem is they used open-source code. The problem is that their software development practices need to change. The problem is there is a talent gap that can’t keep up with business changes and technology advances. The problem is that leadership has never taken security as seriously as they should, as they are not up to speed on the amount and danger of the threats out there in the wild.

Sadly, many of those 143 million people are not aware that Equifax even had their data. As regulations allow businesses to sell their lists to other companies, a person downloading music could have his data sold to another company without his knowledge or consent.

One of the things that made this incident even more disturbing than Equifax’s complete disregard for the protection of private, personal data, is that it did not reveal the breach until months after it occurred. Cyber security company eSentire says that one thing being overlooked in many cases is that the breach notices would have required Equifax to report the incident to their clients in 24 hours, not weeks. And, because Equifax retains bigger clients in New York, they are governed by DFS NYCRR rules, which dictate 72 hours for breach reports – again, not weeks. Did their clients receive notification within this timeframe?

Mark Sangster, VP and Industry Security Strategist at eSentire, says, “Given the nature of Equifax data and the magnitude of the breach make this a watershed moment in breach detection and response. Many difficult questions will be asked and become the crux of numerous legal actions that will likely stem from this event. The most obvious, is why it took so long to disclose the breach. The risk to consumers begins to drop exponentially as soon as the breach becomes public, and affected companies and consumers can take defensive measures to protect their financial identity and funds.

Yet, Equifax waited over a month to respond and provide breach notice. Headquartered in Atlanta, Equifax is bound by the state breach notification laws of Georgia, which require a firm to report a breach, stating, ‘The notice shall be made in the most expedient time possible and without unreasonable delay.’ In some circumstances, notification is to be made within 24 hours. Did Equifax meet this requirement and do everything in its power to protect those affected by the breach?

But to fully understand what happened with the Equifax hack, businesses need to understand that software applications are not written from scratch. Rather, 80-90% of a modern application is built using open source components – like Apache Struts (the alleged culprit in the Equifax hack).

According to a recent Sonatype report, software developers download these components from repositories that house billions of open-source software components. Sonatype’s research shows that only 57% of organizations have a software governancepolicy, which ensures that development organizations download only approved components, and 65% do not have meaningful controls over what components are in their applications. As Equifax learned the hard way, software components age like milk, not wine — the older a component is, the more likely it is to be either vulnerable or defective.

Wayne Jackson, CEO of Sonatype blames C-level executives. “For far too long, businesses have under-invested in software integrity, relying on network-based defenses that are incapable of protecting many exploit vectors, including those associated with open-source security defects. The Equifax breach and loss of 143 million records (including mine) serves as a painful reminder of why every link in the software supply chain must be automatically and continuously managed. To do otherwise is simply negligent.”

Lev Leshokhin, EVP of strategy and analytics at software quality measuring tool provider CAST Software, says developers today have too narrow a focus and do not consider the business implications of what they create.

“What Equifax brings to light is that we are under a shortage of talented developers and cannot keep up with business demand and tech complexity at the same time, creating further software risk. The solution is NOT to rely on the ability to hire good developers so they write good software – there just aren’t enough skilled developers with whole-system vision to go around. We need to take our most senior developers, have them design the architectures for data protection, and then ensure these architectural constructs are followed by the developer plebiscite with every build.

“What we saw in the CAST survey of developers just released in September,” he continued, “is that only about half (54%) of developers understand the architecture of their overall application. This means that the other half are working in silos and have little to no visibility into how their component can endanger the rest of the system. Combine that with the fact that more than 60% of developers report their dream job is at Google, and you can be sure that software engineers at financial institutions or retailers are bringing down these statistics.”

The harshest criticism of Equifax’s response and explanation was leveled by a software testing expert who wished to remain anonymous to comment on the case. “I heard that Equifax is blaming all this on a bug in some open-source web software. If true, then I call utter bull**** on that. The concept ‘defense in depth’ may have been conceived at night, but it wasn’t conceived ‘last’ night.”

Further, he said the main problem is not so much a lack of technical knowledge but rather a lack of caring. “Notice that immediately, I mean immediately, Equifax tried to turn this into a money-making opportunity, by offering ‘free’ credit monitoring that becomes not free after year… So, to them, this is not a bug, it’s a sales feature.”

The expert went on to say that ultimately, this comes down to Equifax and the other credit bureaus being able to pass on their costs of production failures to their customers. “Once software vendors and companies that use software are held fully accountable for the costs of bugs they put into production, this kind of nonsense will magically stop happening. In other words, once liability law catches up with the role software now plays in society, these problems will happen much, much, much less frequently.”

Fingers can be pointed in a lot of directions over this and other breaches, but the fact remains that these will continue until organizations start to elevate how they approach security and the investments they make in keeping our data secure. There are reports going around that Equifax hired a CISO with degrees in music and fine arts, but no mention of any formal education in software security. If the reports are true, that tells you all you need to know about how too many companies today still view security – as something to be merely fiddled with.

Billions of Bluetooth-enabled devices vulnerable to new airborne attacks

Eight zero-day vulnerabilities affecting the Android, Windows, Linux and iOS implementations of Bluetooth can be exploited by attackers to extract information from, execute malicious code on, or perform a MitM attack against vulnerable devices.

BlueBorne

The vulnerabilities, collectively dubbed BlueBorne by the researchers who discovered them, can be exploited without users having to click on a link or download a questionable file – in fact, no action by the user is required to perform the attack. Also, attacks exploiting them spread through the air, so it’s difficult to detect them and are highly contagious. Users will also not be able to detect whether they are being hit with a BlueBorne attack.

The only prerequisite for a successful attack is that Bluetooth, a widely used wireless communication protocol for exchanging data over short distances, is enabled on a target device. Unfortunately, it is often enabled by default on too many devices.

“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” the researchers explained. “This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected..”

The vulnerabilities

The researchers, from enterprise IoT security company Armis, identified the following security flaws:

  • Linux kernel RCE vulnerability – CVE-2017-1000251
  • Linux Bluetooth stack (BlueZ) information leak vulnerability – CVE-2017-1000250
  • Android information leak vulnerability – CVE-2017-0785
  • Android RCE vulnerability #1 – CVE-2017-0781
  • Android RCE vulnerability #2 – CVE-2017-0782
  • The Bluetooth Pineapple in Android – Logical Flaw – CVE-2017-0783
  • The Bluetooth Pineapple in Windows – Logical Flaw – CVE-2017-8628
  • Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315
  • More technical details about each can be found in this paper, but the short story is this:

    “The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “’discoverable’ mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.”

    Here is a demonstration of a BlueBorne attack against a Samsung smartwatch running the Linux-based Tizen OS:

    “These silent attacks are invisible to traditional security controls and procedures. Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them,” noted Yevgeny Dibrov, CEO of Armis.

    How many and which devices are vulnerable?

    According to the researchers, the BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today.

    Among the vulnerable devices are Google Pixel smartphones, Samsung Galaxy phones and tablets, all Windows computers since Windows Vista, Samsung smartwatches, TVs and refrigerators, All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower, the Pumpkin Car Audio System, and so on.

    Naturally, the discovery of the vulnerabilities was shared months ago with the likes of Google, Microsoft, Apple, Samsung, and the Linux kernel security team.

    Google has pushed out patches in the September Android update (for Nougat and Marshmallow, i.e v7.0 and 6.0) and provided the patches to its partners in August (but who knowns how soon those partners will ready them for users). Microsoft pushed out patches on Tuesday, September 12.

    Apple will not be pushing out an update, because the vulnerability affecting its Bluetooth implementation has already been mitigated in iOS 10 and users are encouraged to upgrade to it. Finally, Linux maintainers will release a fix soon.

    But, in the meantime, users can also protect themselves by simply switching off Bluetooth on their devices.

    The scope of the risk

    “In the past, most Bluetooth vulnerabilities and security flaws originated in issues with the protocol itself, which were resolved in version 2.1 in 2007. Nearly all vulnerabilities found since were of low severity, and did not allow remote code execution. This transition occurred as the research community turned its eyes elsewhere, and did not scrutinize the implementations of the Bluetooth protocol in the different platforms, as it did with other major protocols,” the researchers noted.

    Bluetooth is a difficult protocol to implement, and the researchers are concerned that the vulnerabilities they found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities.

    “Bluetooth has become one of the most commonly used technologies to connect one device to another and as the discovery of this zero-day clearly shows, it’s also a big risk,” Leigh Anne Galloway, cyber security resilience lead at Positive Technologies, commented.

    “While patches for smartphones, laptops and other internet-enabled devices are relatively easy to push out, for dumber gadgets the same can’t be said. There’s a huge number of ‘things’ that rely on Bluetooth to perform their function – like speakers, or computer keyboards and mice – and, short of turning them off, there isn’t fix and that is going to leave millions vulnerable.”

    “Long term, the answer is that if any device can connect to another in any way, it needs to have security built in from the outset or hackers are going to take advantage of it. In the short term, make sure that any devices that can be updated are and, where possible, turn the Bluetooth off of anything not in use,” she concluded.