Bluetooth logo

A cryptographic bug affects the Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, Qualcomm, and possibly other hardware vendors.

This bug occurs because Bluetooth-capable devices do not sufficiently validate encryption parameters used during "secure" Bluetooth connections. More precisely, pairing devices do not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange.

This results in a weak pairing that may allow a remote attacker to obtain the encryption key used by a device and recover data sent between two devices paired in a "secure" Bluetooth connection.

Both Bluetooth and Bluetooth LE affected

Both the Bluetooth standard's "Secure Simple Pairing" process and Bluetooth LE's "Secure Connections" pairing process are affected.

Two scientists from the Israel Institute of Technology, Lior Neumann and Eli Biham, discovered the vulnerability, tracked as CVE-2018-5383, and detailed on this website and this research paper.

CERT/CC has sent out a security advisory last night with the following explanation for the vulnerability:

Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must also agree on the elliptic curve parameters being used. Previous work on the "Invalid Curve Attack" showed that the ECDH parameters are not always validated before being used in computing the resulted shared key, which reduces attacker effort to obtain the private key of the device under attack if the implementation does not validate all of the parameters before computing the shared key.

In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages.

Some big vendors affected

Apple, Broadcom, Intel, and Qualcomm have confirmed that Bluetooth implementations and OS drivers are affected. Apple, Broadcom, and Intel have deployed fixes for the bug. A Qualcomm spokesperson told Bleeping Computer via email that they have deployed fixes as well.

Microsoft said its devices are not affected. CERT/CC experts were not able to determine if Android, Google devices, or the Linux kernel are affected.

The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has issued a statement in regards to the vulnerability.

For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.

The organization says it has now updated the official Bluetooth specification to require that all pairing devices validate all parameters used for key-based encrypted Bluetooth connections.

Researchers and Bluetooth SIG said they weren't aware of any in-the-wild attacks where this vulnerability might have been used. The good news is that the attacker needs to be near the victim when he/she is pairing a Bluetooth device, a process that occurs very rarely, and can't be forced via a deauth operation. Furthermore, if one of the two devices participating in a paring operation have received a patch, then the attack won't work anymore.

The updates for CVE-2018-5383 should be expected as OS updates or driver updates (for desktops, laptops, and smartphones), or firmware updates (in the case of IoT/smart devices).

Article updated with information on Intel and Qualcomm fixes.

Related Articles:

Apple Fixes Passcode Bypass, RCE Vulnerabilities, and More in Today's Updates.

Company Pretends to Decrypt Ransomware But Just Pays Ransom

Scam iOS Fitness Apps Steal Money Through Apple Touch ID

Tech Support Scams Using Multiple Obfuscation Methods to Bypass Detection

How a Security Test for DropBox Revealed 3 Apple Zero Day Vulnerabilities