A newly-discovered vulnerability affecting all Bluetooth devices lets third parties hack into the connection.
The IoT world is abuzz with the discovery of a new Bluetooth flaw that opens the door to man-in-the-middle attacks, which are exactly what they sound like — attacks where a third party wedges itself between two of your networked devices and helps itself to the sensitive data stored on each. These attacks are possible when the network has weak or no security, and that is precisely the problem inherent in CVE-2018-5383, a cryptographic flaw that affects two Bluetooth features — Secure Simple Pairing and LE Secure Connections.
The flaw is born out of a spec that allows Bluetooth vendors to opt out of public key authentication. When this happens, the connection between the two Bluetooth devices is not encrypted and any cybercriminal with a mind to do so can insert himself or herself into the communication, provided he or she is within 30 meters of the devices in question.
The need for such close proximity is the one aspect of this vulnerability keeping the tech universe from all-out panic. While the potential for this attack is very real, affecting all the major brands of Bluetooth devices (Google, Apple, Intel, and more), a hacker would have to be very near your device in order to hack into it. On top of that, patches are already being developed to fix the flaw.
Information belonging to over 100 Italian banks breached by the Ursnif banking trojan was obtained by Avast Threat Labs, which then shared the data with as many of the victims as could be identified.
Avast researchers obtained information that the Ursnif banking Trojan has targeted 100 Italian banks and may have thousands of victims.