Security researchers from Google and Intel discovered a high-severity security vulnerability in Linux. The bug concerns BlueZ, a software stack that implements all Bluetooth core protocols and layers for Linux. Attackers can exploit the vulnerability to execute arbitrary code with kernel kernel privileges. The only catch is that the attacker needs to be within Bluetooth range. BlueZ is used by Linux-based laptops as well as various Internet of Things devices. Android (version 4.2 or higher) devices don't use BlueZ.
“I don’t really worry about bugs like these,” Dan Guido, mobile security specialist and the CEO of security firm Trail of Bits, told me. “I’m glad someone is finding them and getting them fixed, but it’s not a big concern for me.”
The lack of real-world risk is a good thing. Many IoT devices receive few if any security updates, making it likely that many devices used in both homes and businesses will remain vulnerable to BleedingTooth for the rest of the time they’re used. Many of these devices were likely already vulnerable to BlueBorne and several other security bugs that have bitten Bluetooth in the past. So far, there are no reports of any of them being actively exploited.