Yet another bluetooth hacking technique has been uncovered.
A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.
The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.
The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.
How the Bluetooth Hack Works?
Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.
Since this specification is optional, some vendors’ Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.
In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.
Here’s what the Bluetooth Special Interest Group (SIG), the maintainers of the technology, says about the flaw:
“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.”
“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.”
On Monday, CERT/CC also released a security advisory, which includes additional technical details about the Bluetooth vulnerability and attack method.
According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.
The ECDH key exchange involves a private and a public key, and the public keys are exchanged to produce a shared pairing key.
The devices must also agree on the elliptic curve parameters being used, but in some implementations, these parameters are not sufficiently validated, allowing remote attackers within wireless range “to inject an invalid public key to determine the session key with high probability.”
Stop Bluetooth Hacking—Install Patches from Vendors
To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.
Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.
The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.
Apple, Broadcom, Intel, and Qualcomm Found Affected
So far, Apple, Broadcom, Intel, and Qualcomm have been found including affected Bluetooth chipsets in their devices, while Google, Android, and Linux have yet to confirm the existence of the vulnerability in their respective products. Microsoft products are not vulnerable.
Apple and Intel have already released patches for this security vulnerability. Apple fixed the bug with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.
Intel released both software and firmware updates to patch the Bluetooth bug on Monday, informing users that the high severity flaw impacts the company’s Dual Band Wireless-AC, Tri-Band Wireless-AC, and Wireless-AC product families.
According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be affected by the reported issue, but the chip maker claims to have already made fixes available to its OEM customers, who are now responsible for providing them to the end-users.
Qualcomm has not released any statement regarding the vulnerability.
The Bluetooth SIG says that there is no evidence of the bug being exploited maliciously and that it is not aware of “any devices implementing the attack having been developed, including by the researchers who identified the vulnerability.”