A vulnerability within the commonly available Bluetooth protocol has been found, putting millions of devices at risk. The vulnerability allows unauthenticated and remote attacks in close proximity to intercept, monitor, and manipulate their victim's traffic. Among the affected units are devices from Apple, Broadcom, Intel, and Qualcomm. Several types of Bluetooth handsets are also affected.
Vulnerability within the Bluetooth protocol
Lion Neurman and Eli Biham, researchers from Technion - Israel Institute of Technology - were the first to discover the vulnerability. Now dubbed CVE-2018-5383, it is caused by certain vendors not implementing proper validation of the cryptographic key exchange during Bluetooth pairing.
The Bluetooth specification itself simply recommends this validation but does not mandate it. Therefore, the cryptographic key used during pairing can be skipped and attacked by a man-in-the-middle attack. With the key in hand, listening in on supposedly encrypted communication would be very possible.
The Bluetooth Special Interest Group, or SIG, describes the flaw as follows in a recent report.
"The researchers identified that the Bluetooth specification recommends, but does not require, that a device supporting the Secure Simple Pairing or LE Secure Connections features validate the public key received over the air when pairing with a new device.
For an attack to be successful, an attacking device would need to be within the wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending and acknowledging the transmission device, and then injecting the malicious packet into the receiving device within a narrow time window."
Mitigation & remediation
In the same report the Bluetooth SIG revealed that, to remedy the vulnerability, it has updated the specification to require cryptographic key validation. Testing for the vulnerability itself has also been added to their Bluetooth Qualification Program.
Among the affected vendors are Apple, Broadcom, Intel and Qualcomm. Google, Android, and Linux have yet to confirm the existence of the vulnerability in any of their devices. Microsoft devices are not vulnerable. Patches have already been released by some vendors, including Apple and Intel.
Finally, this monday CERT released a technical report describing the attack in more detail. Included is a list of affected devices and possible mitigation methods - if available.