New Bluetooth vulnerability allows hacking iOS and Android devices

Wireless protocols are not exempt from cybersecurity risks. IT security audit specialists say that more than one billion Bluetooth-enabled devices (smartphones, IoT equipment, laptops, switches, and others) present a critical vulnerability that, if exploited, would allow hackers to intercept transmitted data between two connected devices, especially smartphones.

Tracked as CVE-2019-9506, this vulnerability is present in the Encryption Key Negotiation Protocol, which allows devices operating with the BR/EDR standard to choose an entropy value for the encryption keys used to secure a Bluetooth connection. According to the report, this attack allows a threat actor located near two connected devices to intercept, monitor and manipulate traffic between paired devices.

The Bluetooth BR/EDR (Basic Rate/Enhaced Data Rate) standard, also known as “Bluetooth Classic”, is a wireless connection standard designed to establish a short-range pairing, mainly used in wireless headphones or speakers. According to IT security audit experts, the central specification of this protocol supports encryption keys with an entropy value of between 1 and 16 bytes; in this case, the higher the value of entropy, the higher the level of security. The main finding of this research is that the negotiation of entropy, conducted via the Link Management Protocol (LMP), is not a protected process with encryption, nor requires authentication, making it vulnerable to air-hijacking or manipulation.

By exploiting this vulnerability, a threat actor could trick two devices into setting an encryption key of only 1 byte of entropy, opening the door to a brute force attack. “Let’s think that there are two Bluetooth equipment operators (A and B) establishing a connection. After authenticating the pairing key, A proposes to use 16 bytes of entropy. Entropy (N) can have a value between 1 and 16 bytes; it is up to Subject B to accept or reject, or to propose a different value in this negotiation,” the report on the flaw mentions.

“Subject B could propose a value of N less than proposed by A; subsequently, A could accept and request activation of link encryption with B. Exploiting the vulnerability, a hacker could force A and B to use a lower value of N to intercept the proposal request between both Bluetooth operators,” the experts in IT security audit said. After breaking the encryption, the hacker can capture the transmitted traffic via Bluetooth or even read encrypted texts in real time and without the victims being able to notice.

While dangerous, experts mention that the success of this attack depends on some conditions such as:

  • Both Bluetooth devices must establish a BR/EDR connection
  • Both Bluetooth devices must be vulnerable
  • The attacker must be able to block direct transmissions between devices during pairing

To mitigate the risk of this attack, IT security audit experts from the International Institute of Cyber Security (IICS) mention that manufacturers of integrated Bluetooth equipment should apply as standard a minimum length of 7 bytes for BR/EDR connections. Some manufacturers, such as Microsoft, Cisco, Google, and Apple have already started releasing the necessary updates, especially for iOS and Android smartphones.