Bluetooth Pairing Bug To Be Repaired

Update coming for Bluetooth after pairing vulnerability could see attacker intercept communications

Bluetooth has a vulnerability that can allow an attacker to potentially intercept Bluetooth communication between two paired devices.

The flaw was uncovered by researchers at the Israel Institute of Technology, and has been documented by the Bluetooth SIG and Carnegie Mellon’s CERT.

This is the latest security scare surrounding the security of Bluetooth. Last September researchers from Armis uncovered another flaw that could have potentially compromised billions of devices.

Pairing vulnerability

That particular flaw was known as ‘Blueborne’ and the attack disguised itself as a Bluetooth device and exploited a weaknesses in the protocol to deploy malicious code. It was similar in nature to the Broadcom Wi-Fi attack disclosed earlier in 2017.

But now the Israel Institute of Technology researchers have found that when a person pairs a couple of Bluetooth devices, such as a phone and computer, they exchange encryption keys.

Unfortunately, it seems that the Bluetooth specification doesn’t require that both of these devices completely validate those keys.

“The researchers identified that the Bluetooth specification recommends, but does not require, that a device supporting the Secure Simple Pairing or LE Secure Connections features validate the public key received over the air when pairing with a new device,” said the Bluetooth SIG in its advisory.

“In such cases, connections between those devices could be vulnerable to a man-in-the-middle attack that would allow for the monitoring or manipulation of traffic,” it added.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure,” it said. “The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.”

The Bluetooth SIG said that in order to remedy the vulnerability, it has now updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures.

In addition, the Bluetooth SIG has added testing for this vulnerability within its Bluetooth Qualification Program.

Update now

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” it said.

It concluded that Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.

Apple for example has updated MacOS, plus the Bluetooth fix is also included in iOS 11.4.

Intel updated Bluetooth drivers for Windows 7 , 8.1 and 10, but some some patches may need to be sourced from the device manufacturer itself.

Do you know all about security? Try our quiz!