Your IT Consultant

Bluetooth Pairing Vulnerable to Attack

July 25, 2018

Threatpost reported that researchers at the Israel Institute of Technology have identified a security vulnerability in the Bluetooth specification. The vulnerability (CVE-2018-5383) deals with Secure Simple Pairing and LE Secure Connections. Even though the specification allows for creating an encrypted communication connection between devices, vendors are allowed to opt-out of validating the encryption keys. This means that the pairing process is vulnerable to a man-in-the-middle attack, giving the attacker the ability to "snoop" the transmitted data or even manipulate it.

The good news is that if at least one of the devices validates all of the elliptic curve parameters during the Diffie-Hellman (ECDH) key exchange than you're safe. Apple has already updated MacOS and iOS 11.4. Intel has updated drivers for Windows 7, 8.1 and 10. Many vendors are busily distributing updates since the Bluetooth specification now requires validation of the encryption keys. If you haven't seen an update yet, it should be arriving shortly.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com