Patches have already been released or are
expected to see the light of day soon
Researchers have discovered a flaw in some
Bluetooth implementations that could allow an attacker to intercept or tamper
with data exchanged between two vulnerable devices.
The cryptographic bug, tracked as CVE-2018-5383, has been identified by scientists at the
Israel Institute of Technology. It impacts two related Bluetooth features:
Secure Simple Pairing and LE Secure Connections.
The Bluetooth Special Interest Group (SIG),
which is the governing body behind the Bluetooth standard, explained that some Bluetooth implementations or operating
system software drivers fail to validate the public encryption key received
over-the-air during device pairing.
To be sure, such a check is not required, but
only recommended by the Bluetooth specification. Or, rather, it was, as
SIG has also announced an update to the Bluetooth specification to the effect
that all parameters used for public key-based Bluetooth connections are
required to be validated.
The US CERT Coordination Center (CERT/CC)
released additional details about the vulnerability, explaining that
Bluetooth’s device-pairing mechanism relies on elliptic-curve Diffie-Hellman (ECDH) key exchange. “The
ECDH key pair consists of a private and a public key, and the public keys are
exchanged to produce a shared pairing key. The devices must also agree on the
elliptic curve parameters being used,” reads the advisory.
“In some implementations, the elliptic curve
parameters are not all validated by the cryptographic algorithm implementation,
which may allow a remote attacker within wireless range to inject an invalid
public key to determine the session key with high probability. Such an attacker
can then passively intercept and decrypt all device messages, and/or forge and
inject malicious messages,” according to CERT/CC.
All’s not lost
Software and firmware
updates are expected over the coming weeks, said CERT/CC, so users are
well-advised to stay tuned for fixes from vendors.
Apple, Broadcom, and Intel have all confirmed
the flaw, and the first two have already released patches. Qualcomm’s chipsets
are also listed as affected in CERT/CC’s advisory, while the implications for
Android, Google, and Linux kernel vis-à-vis the vulnerability have yet to be
determined. Windows is in the clear.
As per SIG, the bug is not known to have been
exploited in the wild. Either way, such a man-in-the-middle attack would
require the perpetrator to place themselves within the range of both targeted
Bluetooth-enabled devices that are going through the pairing procedure. In addition,
both devices need to be vulnerable for the attack to succeed.
Arguably, the easiest countermeasure is
turning Bluetooth off whenever you’re not using it.