There’s a new Bluetooth security vulnerability to be aware of, tracked as CVE-2018-5383, and it’s a nasty one.
It’s a cryptographic vulnerability that affects firmware or operating system software drivers from a number of major vendors, including Qualcomm, Broadcom, Intel and Apple. At this point, the implication of the bug on Linux, Android, and Google are unknown.
The flaw is related to two important Bluetooth features: BR/EDR implementations of Secure Simple Pairing in device firmware and Bluetooth Low Energy (BLE) of Secure Connections Pairing in OS system software.
It was discovered by researchers operating out of Israel’s Institute of Technology. They discovered that the Bluetooth specification recommends (but critically does not mandate) that devices supporting the two features make any effort to validate the public encryption key received during secure pairing.
Since the specification is optional, it’s hardly a surprise that some vendors producing Bluetooth products do not take sufficient steps to validate the parameters used to generate public keys during the exchange.
This allows a would-be hacker the possibility of executing a man-in-the-middle attack to obtain the cryptographic key used by the device. This would give them the opportunity to not only spy on the device’s owner, but also to inject malware that could allow the hacker to take full control over the device.
SIG (the Bluetooth Special Interest Group which maintains the technology), had this to say about the flaw:
“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.
The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.”
Bluetooth SIG has now updated the specification to require products to validate public keys received as part of the public key-based security procedures. Of the manufacturers mentioned above, Apple and Intel have both released patches. Broadcom has made fixes available to its OEM customers who are responsible for providing them to end-users. There has been no word yet from Qualcomm.