Mobile devices in Hong Kong at risk of Blueborne cyberattacks

Government computer emergency team advises users to update devices with patches to prevent possibility of malicious code infections spread through flaws in Bluetooth wireless technology

PUBLISHED : Thursday, 14 September, 2017, 4:22pm
UPDATED : Friday, 15 September, 2017, 10:24am

Hongkongers could be among the millions of people worldwide at risk of malicious attacks on their mobile devices, laptops and other devices after flaws were discovered in the widely used Bluetooth wireless technology, according to cybersecurity experts.

The loopholes, collectively called Blueborne, were made public earlier this week by security research company Armis. They could potentially allow attackers to remotely take control of unpatched, Bluetooth devices such as laptops, smartphones, smart home appliances and even driving systems to execute malicious code or intercept device traffic.

The Hong Kong government’s computer emergency response team issued an alert on Wednesday, advising users in the city to update their devices with patches, once available, to protect themselves, and to disable the Bluetooth function if it is “unused or unnecessary”.

Malware using Bluetooth as a transmission method means that viruses are effectively “airborne”, since devices do not need to be connected to the internet to become infected.

“There are huge numbers of Bluetooth-enabled devices around the world, and if any device isn’t patched, and comes within 30 feet or so of an infected device, it can become compromised within seconds,” said Michael Gazeley, chief executive of Hong Kong-based cybersecurity firm Network Box.

“A self-replicating computer worm could, like a biological virus infecting humans, spread itself right across the globe like wildfire,” he said.

Armis researchers estimated that over 5.3 billion devices could be affected.

The vulnerabilities in Bluetooth would affect devices running unpatched versions of Google’s Android operating system, Microsoft’s Windows, the Linux operating system, and Apple’s iOS.

Tech companies have addressed the issues by releasing patches that fix the loopholes. Apple said that it had patched the Bluetooth vulnerabilities with its iOS 10 update last year, and both Google and Microsoft put out patches this month after Armis told them of the issue.

The larger problem lies with smartphone manufacturers whose devices run on Google’s Android OS, as manufacturers are the ones responsible for releasing security patches and updates from Google to its users.

A large number of Samsung devices remain unpatched, with Armis saying it had contacted Samsung about the vulnerabilities on three occasions in April, May and June, without receiving a response from the South Korean electronics giant.

Armis released an Android tester app that could tell users if their device was still vulnerable – as of Wednesday, a variety of Samsung devices, including the Samsung Galaxy S8 were still marked as vulnerable to malware attacks transmitted by Bluetooth. However, Samsung told the Post in an emailed statement that it had begun rolling out security patches since August 30, when it was informed by Google about the vulnerabilities.

However, Armis also estimated that 40 per cent of devices affected by the vulnerability would never be patched, either because the devices were old and no longer received firmware updates, or because patching such devices would be too complex for users.