Security News Many Bluetooth Implementations and OS Drivers Affected by Crypto Bug (Some big vendors affected)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/many-bluetooth-implementations-and-os-drivers-affected-by-crypto-bug/
A cryptographic bug affects the Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, Qualcomm, and possibly other hardware vendors.

This bug occurs because Bluetooth-capable devices do not sufficiently validate encryption parameters used during "secure" Bluetooth connections. More precisely, pairing devices do not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange.
This results in a weak pairing that may allow a remote attacker to obtain the encryption key used by a device and recover data sent between two devices paired in a "secure" Bluetooth connection.

Both Bluetooth and Bluetooth LE affected

Both the Bluetooth standard's "Secure Simple Pairing" process and Bluetooth LE's "Secure Connections" pairing process are affected.
Two scientists from the Israel Institute of Technology, Lior Neumann and Eli Biham, discovered the vulnerability, tracked as CVE-2018-5383.
CERT/CC has sent out a security advisory last night with the following explanation for the vulnerability:
...
...
.....
..
Click to expand...
Some big vendors affected

Apple, Broadcom, Intel, and Qualcomm have confirmed that Bluetooth implementations and OS drivers are affected. Apple and Broadcom have deployed fixes for the bug, while the status of Intel and Qualcomm is unknown.
Microsoft said its devices are not affected. CERT/CC experts were not able to determine if Android, Google devices, or the Linux kernel are affected.
The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has issued a statement in regards to the vulnerability.


For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.


The organization says it has now updated the official Bluetooth specification to require that all pairing devices validate all parameters used for key-based encrypted Bluetooth connections.
Researchers and Bluetooth SIG said they weren't aware of any in-the-wild attacks where this vulnerability might have been used.
The updates for CVE-2018-5383 should be expected as OS updates or driver updates (for desktops, laptops, and smartphones), or firmware updates (in the case of IoT/smart devices).
Click to expand...
 
  • Like
Reactions: silversurfer, upnorth and harlan4096
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
tvguvbZg_o.png


Woot woot! :D:emoji_fingers_crossed:
 
  • Like
Reactions: silversurfer, LASER_oneXM and harlan4096
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Thanks
Security News Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover
Replies
0
Views
1,169
Security News
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • Applause
New Update Intel's latest wireless and Bluetooth drivers fix a crash and performance issues
Replies
1
Views
769
System utilities
vtqhtr413
vtqhtr413
vtqhtr413
    • Like
    • Wow
    • +Reputation
Security News Graphics card flaw enables data theft in AMD, Apple, and Qualcomm chips
Replies
0
Views
1,231
Security News
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top