This Week in Security: BlueBorne and Killer Sex-Bots

BlueBorne: The Latest in the New Wave of Bluetooth-Based Attacks

Researchers at Armis have disclosed 8 different vulnerabilities affecting the modern Bluetooth stack implementation that could affect millions of devices across the world. These vulnerabilities, which range from information disclosure to remote code execution, do not require any user interaction and can be leveraged at any device with Bluetooth enabled.

Affected platforms include Android, iOS, Microsoft and Linux, which covers every device from smartphones to smart cars and every dumb IoT (Internet of Things) device in between. The firm has collectively named this pack of exploitive joy “BlueBorne,” stating that the attack can be theoretically used to compromise, infect, and spread to another device like an airborne virus.

The vulnerabilities were identified in April of this year, and vendors have started rolling out updates in order to protect users from attacks in a coordinated fashion. Microsoft made the first update in July, followed by Google and Linux in early September.

Apple’s products using the latest iOS and OSX versions were not affected; however, legacy devices using iOS 9.x will be permanently affected by this vulnerability. In addition, many devices, especially EoL (End of Life) devices, IoT and embedded devices will never receive patches to protect themselves from this attack.

Fortunately, the vulnerability does have some limitations. The first being the limitation of Bluetooth’s range, in which an attack can only be delivered within the effective 75 meters or so range of Bluetooth radios.

In addition, exploitation of these devices will not be universal, as an attacker would have to craft an exploit specifically targeting the OS of each affected device, thus preventing a truly wormable exploit or ‘airborne’ worm like the authors suggest. Not all devices are vulnerable to all 8 issues, half of which are critical and the remainder are information disclosure or interception/spoofing issues.

To combat this vulnerability, users are advised to turn off Bluetooth when not in use until their device has received a patch. Armis has also released an Android App which can be used to identify whether your device or any other device in Bluetooth range is vulnerable. A handy tool for both blue and red teams in the world.

Killer Sex-Bots: A Dangerous Proposal

The debate of artificial intelligence (AI) leading to the end of mankind has definitely been a heated debate of late, especially in the last few weeks with Elon Musk and Putin both chiming in, collectively harmonizing our death rattles.

The call to arms and outcry of warnings rose to a whole new level when Dr. Nick Patterson of Deakin University in down-under Australia apparently watched Westworld, Blade Runner, Austin Powers, Transformers 2, and Ex Machina in the same weekend, and declared that mankind is absolutely 100% going to die from hacked sex robots.

Patterson stated, “Hackers can hack into a robot or a robotic device and have full control of the connections, arms, legs and other attached tools, like in some cases knives or welding devices.”

This wouldn’t be the first time adult toys have come under the crosshairs of hackers. In April, sex toy company We-Vibe agreed to pay approximately $4 million USD to customers for failing to protect customer data from being improperly accessed. Hackers have also targeted remotely accessible sex toys in numerous stunt hacks which would allow attackers to arbitrarily control these devices.

While his statement is questionable, the number of sex robots and the growth of sex robotics is not. Sex robots are quickly becoming one of the fastest growing adult focused industries in the world. With advancements in machine learning, 3D printing, complex textiles, and lowered costs in miniaturized mechanisms, this area is set to thrive within the next 20 years.

In Europe, sex robots are being introduced in place of sex workers as a way to prevent crime and disease. A few boutique hotels in Ireland, Germany, Spain, Netherlands, Sweden, and Belgium are even offering stay-overs with customized sex bots in which the client can select both bot and feature sets prior to booking a reservation.

The number of sex robot companies has also sky rocketed. In 2010 there were less than 15 companies dedicated to making “adult companion” robots; in 2017 there are over 125.

Currently there has been no evidence of any attacks as sophisticated as those Patterson describes, as the attacker would have to know the make, model, firmware version, and software versions, and then identify a exploitable vulnerability which would allow the attacker to bypass mechanical functions and remotely operate the device. With all this effort, someone could easily accomplish other tasks such as blackmail or old-fashioned physical assassination with less effort.

However, the irony of being killed by a sex droid still has its own poetic justice and an air of cyberpunk that would make quite an impressive statement on some poor sap’s tombstone.