The security vulnerability is related to two particular Bluetooth features – Bluetooth low energy (LE) which looks at the implementations of Secure Connections Pairing in operating system software, and EDR which has to do with the implementations of Secure Simple Pairing in device firmware.
Bluetooth hacking techniques have been tried since the technology was released back on May 20th 1998 and they continue to become more and more effective.
A highly critical cryptographic vulnerability has been found affecting Bluetooth implementations that could allow an unauthenticated attacker that is in physical proximity of the targeted devices to intercept, monitor or manipulate the exchange of traffic within the device.
Known as CVE-2018-5383, affects the firmware or operating system of the devices of major vendors including Apple, Intel, Broadcom, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown. A warning from the U.S. Computer Emergency Response Team described the vulnerability as a result of missing check on keys during the process of encrypting data sent over the Bluetooth connections.
How The Bluetooth Hack Works?
Researchers from the Isreal Institute of Technology discovered that during secure pairing it does not mandate devices which support the two features to validate the public encryption key received over-the-air.
Some vendors’ Bluetooth products supporting the two features don’t sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.
Remote attackers within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data over-the-air, and inject malware.
Here’s what Bluetooth SIG Security had to say;
“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.”
“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.”
Where are the fixes?
Apple issued fixes back in May with the release of iOS 11.4 and in supported MacOS versions in June. For those who haven’t updated, Neumann warned: “Every iPhone device with a Broadcom or Qualcomm chip is inherently vulnerable,” he added. That would include the latest iPhone 8 and X models.