Patches continue to roll out following the discovery last week of a Bluetooth vulnerability that allows an attacker to intercept communications.
The flaw was discovered by researchers at the Israel Institute of Technology. The CVE-2018-5383 ID marker was assigned to the vulnerability in the Bluetooth protocol.
It affects almost any device with a Bluetooth chip set and renders connections between devices vulnerable to a man-in-the-middle attack that would allow for the monitoring or manipulation of traffic – if the attacker was in radio range and transmitting while the targeted Bluetooth devices were initially pairing.
The problem arises from Bluetooth’s use of a device paring mechanism that is based on a elliptic-curve Diffie-Hellman (ECDH) key exchange.
When two devices wish to pair with each other they exchange their public keys and a private key is constructed using these keys and an elliptic curve parameter.
Essentially two Bluetooth devices create a one-off shared secret, built from the parts of of their public and private cryptographic keys. This is used to encrypt all communication between the devices.
However, researchers found that not all curve parameters were being checked and validated by the cryptographic algorithm implementation.
Flaw Discovered by Institute
Researchers Eli Biham and Lior Neumann at the Israel Institute of technology commented in their disclosure of the flaw that: “As far as we know every Bluetooth chip manufactured by Intel, Broadcom or Qualcomm is affected. Therefore, almost any device, including smartphones and headsets of all types, are affected.”
“In addition, the Android Bluetooth stack (Bluedroid) is affected when using Bluetooth smart. Apple had provided patches for both MacOS and iOS. The Windows Bluetooth smart stack did not implement the latest Bluetooth smart protocol and is therefore still vulnerable to older and simpler attacks.”
“This process supplies the ground for all of the security and privacy features provided by Bluetooth. Failing to secure this process compromises the entire Bluetooth session,” they added
This means any attacker within wireless range can insert an invalid public key into the exchange which allows them to determine the actual key with a high success rate.
Once in the hacker is undetected within the Bluetooth connection and can intercept and decrypt any communications from the parried devices, as well as insert or forge any malicious messages they want.
From a user’s point of view the only warning they will receive that they are being targeted is if the attack fails to insert a public key into the mix, as this would cause the connection to not be established and the user would get an authentication error.
The Bluetooth Special Interest Group (SIG), the body tasked with overseeing standards and licensing of Bluetooth technology released a statement commenting that: “To remedy the vulnerability, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures.”
Google’s patch was included in their June 2018 update. See their June 2018 bulletin here.