The latest smartphones including the Galaxy Note 8 were sold with exposure to "Bluetooth Bluebone" vulnerability.
US-based IoT security firm Amis announced on September 19 that the company found Blueborne, the latest Bluetooth vulnerability, and informed Google and handset makers of it. Blueborne works on all devices with Bluetooth on. An attacker can infect a Bluetooth-enabled device with malicious codes and extract sensitive data form them. Blueborne turn smartphones and others into a zombie network that launch distributed denial of service (DDoS) attacks.
Armis uploaded an app that checks the Bluetooth vulnerability to Google Play. Vulnerability has been revealed as a result of running the app on the Galaxy Note 8.
Security experts have confirmed that not only the Galaxy Note 8 but the latest IT devices with Bluetooth capabilities are all in the same situation. Terminal manufacturers are urgently needed to take quick actions.
According to a blog of Armis, Google released a security update to handset makers on August 7. A regular patch released on September 4 also has also related contents. Although Google is releasing software which updates its operating system (OS), it is up to the manufacturer to actually update consumers’ handsets. Samsung Electronics released the Galaxy Note 8 on September 15 but did not implement Bluebon vulnerability security update for the new model. Google announced a security update to its handset partner a month ago, but there was not enough time to apply the update to the Galaxy Note 8.
"We have been aware of the vulnerability and will carry out security updates sequentially for each model," a Samsung official said. “It is difficult to announce a specific date for each type of terminals."
This problem stems from Android development ecosystems. Google builds the Android OS based on the Linux kernel, and manufacturers use it. It takes the manufacturers upwards of six months to develop firmware for each product and the firmware goes through hardware (HW) optimization. Even if Google provides a security patch a month ago, it takes time to optimize it for each device. This is why Samsung Electronics and other companies are not able to launch their products without updating their Android OS to eliminate their security vulnerabilities.
Experts are pointing out that it takes at least a month or up to three months to check that a security update is working properly and it does not crash with other applications. During this period, a smartphone remains vulnerable and may become a zombie device used for other attacks.