A cryptographic bug in many Bluetooth firmware and operating system drivers could allow an attacker within only 30 meters to capture and decrypt data shared between Bluetooth-paired devices. The flaw was found by Lior Neumann and Eli Biham of the Israel Institute of Technology, and flagged today by Carnegie Mellon University CERT. The flaw, which is tracked as CVE-2018-5383, has been confirmed to affect many devices, including Apple, Broadcom, Intel, and Qualcomm hardware, and some Android handsets. It affects Bluetooth's Secure Simple Pairing and Low Energy Secure Connections. Fortunately for macOS users, Apple released a patch for the flaw in July.
The bug resembles bluesnarfing, or the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a high-speed but very short-range wireless technology for exchanging data between desktop and mobile computers and is widely used today.
Bluetooth combines Simple Secure Pairing or LE Secure Connections with principles of elliptic curve mathematics to allow devices that have never connected before to securely establish a secret key needed for encrypted communications. The attack uses a newly developed variant of what cryptographers call an invalid curve attack to exploit a major shortcoming in the Bluetooth protocol that remained unknown for more than a decade. As a result, attackers can force the devices to use a known encryption key that allows the monitoring and modifying of data wirelessly passing between them.
"The devices must also agree on the elliptic curve parameters being used. Previous work on the "Invalid Curve Attack" showed that the ECDH parameters are not always validated before being used in computing the resulted shared key, which reduces attacker effort to obtain the private key of the device under attack if the implementation does not validate all of the parameters before computing the shared key," writes CERT's Garret Wassermann.
The Bluetooth flaw affects a majority of devices and Operating Systems that are widely used, including the Amazon Echo that has increased in popularity greatly over the past year. Google and Amazon have patched over 20 million smart speakers so far that were vulnerable to the Bluetooth attacks.
New bugs and vulnerabilities are discovered every day. You don’t want to become a victim to the next security flaw. Contact us for a free assessment today!
Notify me of followup comments via e-mail