Another Bluetooth attack technique has been disclosed
Specialists in enterprise data protection services have found a highly critical vulnerability that affects some Bluetooth implementations that could allow a not authenticated attacker in physical proximity of specific devices intercept, control or manipulate exchanged traffic.
Identified as CVE-2018-5383, the vulnerability affects the firmware or operating system software drivers of several relevant vendors, including Apple, Broadcom, Intel and Qualcomm, it is still unknown if the flaw is also present in Google , Android and Linux.
The security vulnerability is related to two Bluetooth features: low-energy Bluetooth implementations of Secure Connection Pairing in the operating system software, and Secure Simple Pairing implementations in the device firmware.
How does it work?
Researchers specialized in enterprise data protection services found that the Bluetooth specification recommends, but does not forces compatible devices with the two features to validate the public encryption key received during secure pairing.
Since this specification is optional, some Bluetooth products vendors that support the two features do not sufficiently validate the parameters used to generate public keys during the Diffie-Hellman key exchange.
In this case, a non-authenticated remote attacker within the range of encountered devices during the pairing process may launch a Man-in-the-Middle (MitM) attack to obtain the cryptographic key used by the device, allowing them to break into supposedly encrypted devices to steal data that is air-streamed and inject malware.
Bluetooth Special Interest Group (SIG), in charge of maintaining the technology, mentions in a statement: “For an attack to be successful, an attacking device should be within the wireless range of two vulnerable Bluetooth devices that were in pairing process”.
“The attacking device would have to intercept the exchange of public keys by blocking each transmission, sending an acknowledgement to the transmitting device and then injecting the malware into the receiving device within a short period of time. If only one device had the vulnerability, the attack would not succeed”.
Reports of specialists in enterprise data protection services comment that Bluetooth technology uses a device matching mechanism based on the Diffie-Hellman Elliptical Curve Key Exchange (ECDH) to allow encrypted communication between devices. The ECDH key exchange implies a private and public key, and public keys are exchanged to produce a shared pairing key.
Devices must also agree on the elliptical curve parameters that are used, but in some cases, these parameters are not sufficiently validated, allowing remote attackers within range to inject an invalid public key to determine the session key with high probability.
Installing patches from the developers
Bluetooth SIG has updated the Bluetooth specification to require that the products validate the public keys received as part of the public key-based security procedures.
In addition, the organization has also added evidence for this vulnerability within its Bluetooth qualification process. Information security experts commented that patches are needed in both the firmware and operating system software drivers, which must be obtained from the vendors and developers of the affected products.
Apple, Broadcom, Intel, and Qualcomm affected so far
Apple, Broadcom, Intel, and Qualcomm are the main vendors affected by the Bluetooth flaw, while Google, Android, and Linux have not yet confirmed the existence of the vulnerability in their respective products. Microsoft products are not vulnerable. As for the state of vulnerability in each manufacturer, specialists in enterprise data protection services comment on the progress of companies:
- Apple and Intel have already released update patches.
- Broadcom comments that some of its most recent products may be affected by the flaw, but claims it has already been resolved.
- Qualcomm has not spoken about the vulnerability.
Bluetooth SIG adds that there is no evidence that the failure has been exploited for malicious purposes; while experts in enterprise data protection services from the International Institute of Cyber Security affirm that there are no projects for developing devices able to exploit vulnerability in an efficient way.