A set of previously unknown security vulnerabilities in Bluetooth technology reportedly left billions of devices at risk of hacking, a team of Internet-of-Things (IoT) researchers has said.

Experts from Armis, a security firm, claimed last week to have found a series of flaws that put up to 5.3 billion devices with Bluetooth capabilities at risk of a highly-infectious type of attack. It could reportedly take over smartphones, smartwatches, TVs, and laptops.

Based on a proof-of-concept, the security gaps – which have been dubbed "BlueBorne" – could be used by hackers to spread malware or intercept data.

Unlike traditional cyberattacks, the Bluetooth method doesn't need a victim to fall for a malware-ridden link or download a booby-trapped document.

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date and can enable a complete takeover of the target device," experts asserted.

If Bluetooth is enabled, Armis explained in a YouTube video; a hacker could connect to the device and force surrounding web-connected technology to become a "carrier" for the virus.

"These silent attacks are invisible to traditional security controls and procedures," said Yevgeny Dibrov, the chief executive of Armis, in a statement.

"Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," he added.

"Previously identified flaws found in Bluetooth were primarily at the protocol level," Armis claimed. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."

In many ways, if it takes hold, the flaw resembles a digital airborne virus.

While the total number of potentially-at-risk devices is astounding, there has seemingly been no known cases of hackers using the technique to exploit Bluetooth in the wild.

But that may change as it will continue to impact devices which no longer receive security updates and bug fixes.

"The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive," researchers said.

"If no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained," he added. "When exploits like these are found on technology that is integrated into almost every device we use, it's a real concern."

What devices are affected?

Android. All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution, one results in information leak, and the last allows an attacker to perform a Man-in-The-Middle attack.

Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin on September 4, 2017. 

Windows. All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack.
Microsoft issued security patches to all supported Windows versions on July 11, 2017, with coordinated notification on Tuesday, September 12. Windows users should check with the Microsoft release here for the latest information.
​
iOS. All iPhone, iPad, and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. iOS 10 fixed the problem, so no new patch is needed to deal with it. Users should upgrade to the latest iOS or tvOS version available.

Today’s connected car is not so much a smartphone on wheels; with so many microprocessors chatting with one another across and beyond the vehicle, it is now more aptly described as a data center on wheels.
A tremendous influx of software content, connectivity, entertainment services and autonomy functionality is transforming vehicles. We are rapidly approaching a point in which the automobile will be built around the software, as opposed to the other way around.

Tesla recently made the first deliveries of its mass market “Model 3” electric vehicle. Controls are focused around a large touch screen and the shifter adds “Autopilot” to the traditional “Park”, “Reverse”, “Neutral” and “Drive” options. Full self-driving capability is promised for a later date with simply an Over-the-Air software update.

This generalized shift to software, in turn, means the opportunity for a cyber-attack is growing rapidly. Even with the larger potential attack surface, and while cybersecurity threats will never be eliminated altogether, it is also true that substantial work is taking place to engineer tomorrow’s vehicles to be systematically more able to deal with those threats in a safe and predictable manner.

Vehicle manufacturers have announced these important vehicle cybersecurity enhancements:
     •  Building-in security features to protect safety critical systems,
     •  Isolation of control systems from communications systems,
     •  Leveraging security techniques to limit unauthorized access to software and updates,
     •  Use of threat modeling and simulated attacks to inform design decisions and
   • Creation of the  Auto ISAC (Automotive Information Sharing and Analysis Center) to enhance cybersecurity awareness and collaboration across the industry.

Cybersecurity is being moved to the vehicle’s design foundation, thanks to increased coordination across the broadening, diversifying automotive ecosystem. We are seeing the industry move away from the traditional point-to-point approach to self-healing systems.

The effect is the emergence of a holistic, systems-level approach to building organically secure vehicles that are ultimately capable of self-healing. Self-healing means responding to the inevitable cybersecurity threats in a safe and predictable manner. For example, in detecting and suppressing the introduction of malware or anomalous instructions in the auto ecosystem from manufacturers and suppliers, to communication and control systems throughout vehicle lifetimes.

Security by Design. Security simply can no longer be an afterthought. Security must be a foundational consideration throughout the entire software-development flow for automobiles, from design to delivery. Original equipment manufacturers (OEMs), Tier 1 suppliers and other industry stakeholders must all start wearing their Chief Security Officer hat.

The industry has always had a strong emphasis on physical security; security processes for brakes, steering and other physical components have long been intensely codified. So sudden has been the surge toward software in vehicles, however, that it has somewhat crept up on the industry. Cybersecurity has effectively been stapled on top of more and more sophisticated services leveraging increased Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications. 

There have been some limited-in-scope efforts to move toward an approach of security by design and establish shared guidelines. For example, the U.S. Department of Transportation (DoT) set up the Public Key Infrastructure (PKI) and its certification process that ensures trust and security in the building of V2V and V2I systems.

There is now recognition growing across the industry that the collaboration must be significantly more inclusive in order to sufficiently address the challenges. In the last two years, cybersecurity incidents have been reported broadly across the industry at Chrysler, Ford, GM and Tesla, as well as in commercial vehicles. High tech car thieves today are leveraging laptops and potentially even smartphone apps to steal vehicles.
Risk Management. There is a bit of sensational hysteria growing around the global security conversation with automobiles becoming more and more connected and autonomous. The truth is that the global, increasingly broad automotive ecosystem is working more collaboratively to architect vehicles with cybersecurity at their foundation.

Risk based approaches such as NIST’s Cybersecurity Framework (CsF) are already mandatory for government agencies and recommended for critical infrastructure such as transportation.

Reporting, Sharing and Training. While the automotive industry has a very mature approach to reporting, information sharing and training when it comes to physical issues with the car—well-defined reporting and recall processes around a problem with the brake or accelerator, etc.—the model around software and cybersecurity is not nearly as formalized.
​
The good news is that new technologies such as automotive Intrusion Prevention Systems (IPS) and Runtime App Self Protection (RASP) are emerging to limit the scale of harm that can be unleashed by any single attack, to reduce attack surfaces and to harden cybersecurity capabilities. Because coordination is increasing, the ecosystem is moving toward a system-of-systems approach to automotive security.

Pancreatic cancer has a meager survival rate, with just 9% of patients surviving past five years. The disease, which killed Apple's co-founder Steve Jobs, is one of the hardest types of cancer to treat, but detecting and treating it early can make a big difference to survival rates. But researchers at the University of Washington have come up with a simple and incredibly accurate way to test for the cancer that people can administer themselves.

The team developed an app called BiliScreen, and with a smartphone's camera, it uses computer vision algorithms to detect levels of the chemical bilirubin in the whites of a person's eyes. With pancreatic cancer, bilirubin levels start to increase and eventually, it turns the whites of the eye yellow, which is also the case for hepatitis. However, when that yellowing becomes noticeable, the cancer is already very developed. BiliScreen can detect miniscule levels of bilirubin and provide users with an assessment of whether their levels are high enough to indicate possible disease. This is easier and cheaper than a blood test, which is the traditional test for the cancer and can be done before any symptoms start to show.
​
To take lighting into account, the app can be used with either a special box that blocks out ambient light or paper glasses with colored squares around the edges that the app is calibrated to. With the box, BiliScreen was around 90% as accurate as a blood test in identifying concerning levels of bilirubin in a small, 70-person clinical study. 

It seems no matter how big screens get on smartphones, they’ll never really be big enough. When Apple debuted the original iPhone in 2007, it only had a 3.5-inch display. Ten years on and smartphone screens have now ballooned up to a little over six inches. Some of the new “plus” models are practically tablets at this point.

If, however, you’re still in the camp that prefers something a bit more manageable but sort of wishes the screen was bigger at times, the Canyoze Screen Magnifier may well be a worthwhile investment. If you have kids, elderly family members, or simply want to share your screen with others without having to huddle close together, this is one surefire way to handle it.

Rather than spending extra on a tablet or even a mobile projector, the Canyoze will magnify your existing smartphone’s screen by up to 3x. Or in this case, enlarge it to a 7.6-inch screen. While it may slightly diminish the overall resolution of the picture or movie you’re viewing, it doesn’t require any electricity to work its magic so it will work anywhere you want it to, like on the plane or at the park.

It’s an easy way to show movies or YouTube clips on your phone, so everyone has a front row seat. Or use it to blow up photos when you’re gathered around to see the latest pics from your vacation.
​
When not in use, the Canyoze conveniently packs away into a folder that measures just 4.72” x 0.79” x 5.12”. For less than ten bucks, it’s a handy tool to keep on hand.