A critical cryptographic vulnerability has been exposed which affects Bluetooth implementations which could permit an unauthenticated, remote hacker who is in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.
This Bluetooth hacking vulnerability, dubbed as CVE-2018-5383, affects firmware or operating system software drivers from vendors like Apple, Broadcom, Intel, and Qualcomm.
The vulnerability is associated to two Bluetooth features which are Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.
How does the Bluetooth Hack Works?
Encryption communication between two Bluetooth devices are initiated by utilizing a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange. The ECDH key pair consists of private and public key which are shared on both sides to generate a shared Pair key and the device must also agree to use the elliptic curve parameters.
The researchers at the Israel Institute of Technology found that the Bluetooth specification recommends devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.
As this specification is not mandatory the Bluetooth products of some vendors who support the two features do not properly validate the elliptic curve parameters. In such cases an attacker during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device. Both the pairing devices should be within the wireless range of two vulnerable Bluetooth devices.
To fix this issue, the Bluetooth Special Interest Group (SIG) has updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures. They have also added testing for this vulnerability within its Bluetooth Qualification Process.
The CERT/CC mentions that the patches are needed both in firmware or operating system software drivers and have to be bought from vendors and developers of the affected products, and installed.
As of now Apple, Broadcom, Intel, and Qualcomm have been found to have affected Bluetooth chipsets in their devices, whereas Google, Android, and Linux have not confirmed the presence of the vulnerability. Microsoft products are not vulnerable.
Apple and Intel have released patches for the same. Apple fixed the bug with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.
Intel released both software and firmware updates to patch the Bluetooth bug informing users that the flaw impacts the company’s Dual Band Wireless-AC, Tri-Band Wireless-AC, and Wireless-AC product families.
Broadcom reports that some of its products that support Bluetooth 2.1 or newer technology may be affected but they claim to have already made fixes available to its OEM customers, who are now responsible for providing them to the end-users.
Qualcomm has not released any statement regarding the vulnerability.