Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation
24.7.18 securityweek Vulnerebility
A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.
The flaw, discovered by researchers at the Israel Institute of Technology and tracked as CVE-18-5383, is related to the Secure Simple Pairing and LE Secure Connections features.
According to the Bluetooth Special Interest Group (SIG), whose members maintain and improve the technology, Bluetooth specifications recommend that devices supporting the two features validate the public key received during the pairing process. However, this is not a requirement and some vendors’ Bluetooth products do not perform public key validation.Critical vulnerability found in Bluetooth
An unauthenticated attacker who is in Bluetooth range of the targeted devices during the pairing process can launch a man-in-the-middle (MitM) attack and obtain the encryption key, which allows them to intercept traffic and forge or inject device messages.
“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth SIG explained.
Additional technical details about the vulnerability and attack method were made public on Monday by CERT/CC.
The Bluetooth SIG says it has now updated specifications to require products to validate public keys. The organization has also added testing for this vulnerability to its Bluetooth Qualification Process, which all products that use Bluetooth must complete.
“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” the Bluetooth SIG said.
Apple and Intel have already rolled out patches for this vulnerability. Apple fixed CVE-18-5383 in the past weeks with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.
Intel published an advisory on Monday, informing users that the high severity flaw impacts its Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families. The company has released both software and firmware updates to patch the security hole, and provided instructions on how to address the issue on Windows, Linux and Chrome OS systems.
Broadcom says some of its products using Bluetooth 2.1 or newer may be impacted, but it claims to have already made fixes available to its OEM customers. It’s now up to these companies to ensure that the patches reach end users.
CERT/CC’s advisory also lists Qualcomm as being affected, but the company has yet to provide any information.