Security researchers at the Israel Institute of Technology have found a high severity vulnerability affecting some Bluetooth implementations that could be exploited by an unauthenticated remote attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.
The issue tracked as CVE-2018-5383 affects the Secure Simple Pairing and LE Secure Connections features, it affects firmware or drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm.
The Bluetooth specifications recommend that devices supporting the above features validate the public key exchanged during the pairing process.
Experts from Bluetooth Special Interest Group (SIG), the group that oversees the development of Bluetooth standards, explained that some vendors do not implement public key validation.
Basically, a nearby attacker can launch a man-in-the-middle (MitM) attack and obtain the encryption key, then it can monitor and manipulate the traffic exchanged by the devices.
“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.” reads the advisory published by the Bluetooth SIG explained.
“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,”
The Bluetooth SIG has addressed the vulnerability by updating the specification, now it is mandatory for products to implement public key validation during the pairing process.
Moreover, the Bluetooth SIG has also added testing for this vulnerability within its Bluetooth Qualification Process.
The CERT/CC published a security advisory on the flaw that includes technical details.
“Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.” reads the advisory published by the CERT/CC.
According to the Bluetooth SIG, there is no evidence that the CVE-2018-5383 flaw has been exploited attacks in the wild.
“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” added the Bluetooth SIG.
Both Apple and Intel have rolled out security patches to address the CVE-2018-5383 vulnerability.
According to Intel, the vulnerability affects the Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families.
The vendor has already rolled out both software and firmware updates to fix the issue.
According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be impacted, it also added that security fixes were already provided to OEM customers.