Security News Many Bluetooth Implementations and OS Drivers Affected by Crypto Bug (Some big vendors affected)

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,507
A cryptographic bug affects the Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, Qualcomm, and possibly other hardware vendors.

This bug occurs because Bluetooth-capable devices do not sufficiently validate encryption parameters used during "secure" Bluetooth connections. More precisely, pairing devices do not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange.
This results in a weak pairing that may allow a remote attacker to obtain the encryption key used by a device and recover data sent between two devices paired in a "secure" Bluetooth connection.

Both Bluetooth and Bluetooth LE affected

Both the Bluetooth standard's "Secure Simple Pairing" process and Bluetooth LE's "Secure Connections" pairing process are affected.
Two scientists from the Israel Institute of Technology, Lior Neumann and Eli Biham, discovered the vulnerability, tracked as CVE-2018-5383.
CERT/CC has sent out a security advisory last night with the following explanation for the vulnerability:
...
...
.....
..
Some big vendors affected

Apple, Broadcom, Intel, and Qualcomm have confirmed that Bluetooth implementations and OS drivers are affected. Apple and Broadcom have deployed fixes for the bug, while the status of Intel and Qualcomm is unknown.
Microsoft said its devices are not affected. CERT/CC experts were not able to determine if Android, Google devices, or the Linux kernel are affected.
The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has issued a statement in regards to the vulnerability.


For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.



The organization says it has now updated the official Bluetooth specification to require that all pairing devices validate all parameters used for key-based encrypted Bluetooth connections.
Researchers and Bluetooth SIG said they weren't aware of any in-the-wild attacks where this vulnerability might have been used.
The updates for CVE-2018-5383 should be expected as OS updates or driver updates (for desktops, laptops, and smartphones), or firmware updates (in the case of IoT/smart devices).
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
5,008
tvguvbZg_o.png


Woot woot! :D:emoji_fingers_crossed: