A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.
The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.
The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.
How the Bluetooth Hack Works?
Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.
Since this specification is optional, some vendors' Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.
In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.
"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure."
"The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."
On Monday, CERT/CC also released a security advisory, which includes additional technical details about the Bluetooth vulnerability and attack method.
According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.
Stop Bluetooth Hacking—Install Patches from Vendors
To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.
Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.
The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.