A vulnerability within the commonly available Bluetooth protocol has been found, putting millions devices at risk. The vulnerability allows an unauthenticated and remote attacker in close proximity to intercept, monitor, and manipulate their victim’s traffic. Amongst the affected units are devices from Apple, Broadcom, Intel, and Qualcomm. Several types of Bluetooth handsets are also affected.


Vulnerability within the Bluetooth protocol

Lion Neurman and Eli Biham, researchers from Technion – Israel Institute of Technology – were the first to discover the vulnerability. Now dubbed CVE-2018-5383, it is caused by certain vendors not implementing proper validation of the cryptographic key exchange during Bluetooth pairing.

The Bluetooth specification itself simply recommends this validation but doesn’t mandate it. Therefore, if skipped an attacker performing a man-in-the-middle attack could extract the cryptographic key used during pairing. With the key in hand, listening in on supposedly encrypted communication would be very possible.

The Bluetooth Special Interest Group, or SIG, describe the flaw as follows in a recent report.

The researchers identified that the Bluetooth specification recommends, but does not require, that a device supporting the Secure Simple Pairing or LE Secure Connections features validate the public key received over the air when pairing with a new device.

For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window.

Mitigation & remediation

In the same report the Bluetooth SIG revealed that, to remedy the vulnerability, it has updated the specification to require cryptographic key validation. Testing for the vulnerability itself has also been added to their Bluetooth Qualification Program.

Amongst the affected vendors, Apple, Broadcom, Intel and Qualcomm are confirmed. Google, Android, and Linux have yet to confirm nor deny the existence of the vulnerability in any of their devices. Microsoft devices are not vulnerable. Patches have already been released by some vendors, including Apple and Intel.

Finally, this monday CERT released a technical report describing the attack in more detail. Included is a list of affected devices and possible mitigation methods – if available.