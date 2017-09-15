The highly eclectic and fragmented nature of devices relying on Bluetooth means that some may never issue secure updates.

The recently disclosed collection of "BlueBorne" vulnerabilities that were found to affect at least 5.3 billion Bluetooth-enabled devices has revealed several inconvenient truths about the short-range communications protocol, experts are saying.

Bluetooth technology has long been overlooked by security experts and bug hunters, especially in comparison to other protocols. And because of the highly eclectic and fragmented nature of devices relying on Bluetooth, it could take weeks or months for some product manufacturers to apply software patches, while others may never issue secure updates.

"Bluetooth is complicated. Too complicated," states a technical paper published by IoT security company Armis, whose researchers discovered the eight BlueBorne vulnerabilities on products running on Android, iOS, Linux, and Windows. "Too many specific applications are defined in the stack layer, with endless replication of facilities and features. These over-complications are a direct result of the immense work and over-engineering that was put into creating the Bluetooth specification."

"The complications in the specifications translate into multiple pitfall junctions in the various implementations of the Bluetooth standard," adds Armis, which posits that the complex nature of Bluetooth has dissuaded researchers "from auditing its implementations at the same level of scrutiny that other highly exposed protocols, and outwards-facing interfaces have been treated with."

For that reason, a large number of vulnerabilities in Bluetooth may yet remain, noted Armis, warning that BlueBorne may be just the tip of the iceberg.

In a blog post, Check Point Software Technologies agreed with the premise that the Bluetooth protocol has been "discarded and ignored by the research community for years," noting that bug hunters may have been misled by two common misconceptions.

"The first misconception is that Bluetooth cannot be intercepted via the air, the second [is] that it always requires some sort of user interaction," the Check Point research team states. Armis disabused the security community of these false notions, after announcing that attackers can leverage BlueBorne flaws to intercept Bluetooth devices' communications and infect them over the air, and that a device's Bluetooth feature only needs to be turned on for such exploits to work.

Experts also pointed out the difficulties of patching vulnerable Bluetooth devices, both on the part of the consumer and the original equipment manufacturers who must implement security updates issued by the OS developer.

