A new cryptographic bug has come to light that is claimed to affect the Bluetooth implementations of multiple operating system drivers manufactured by big corporations including Apple, Broadcom, Intel, Qualcomm, among others. A report suggests that this bug has occurred due to an insufficient validation of encryption parameters on secure Bluetooth connections. Tracked as CVE-2018-5383, this Bluetooth bug seems to have affected both the "Secure Simple Pairing" and "Secure Connections" processes of Bluetooth standard and Bluetooth LE, respectively.
As per a report by Bleeping Computer, Israeli scientists Lior Neumann and Eli Biham, from the Israel Institute of Technology, have discovered the CVE-2018-5383 bug. In a blog post on Monday, Bluetooth Special Interest Group (SIG) acknowledged the bug and stated that there is a possibility that some vendors may have developed Bluetooth-compatible products that do not perform public key validation during the pairing procedure. This can potentially give remote access to attackers who are within wireless range of two such vulnerable devices.
"The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful," explained the blog post.
As a solution, the Bluetooth SIG has updated its Bluetooth specification to now require all public keys to be validated as part of the default security procedures, Adding to that, the SIG has also added testing for this vulnerability to its Bluetooth Qualification Program.
"Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key," it notes. "The devices must also agree on the elliptic curve parameters being used. Previous work on the "Invalid Curve Attack" showed that the ECDH parameters are not always validated before being used in computing the resulted shared key, which reduces attacker effort to obtain the private key of the device under attack if the implementation does not validate all of the parameters before computing the shared key."
According to Bleeping Computer, Apple, Broadcom, Intel, and Qualcomm have already issued software fixes for this vulnerability. Additionally, CERT was unable to detect whether devices running Google's software, AOSP, and Linux were affected or not. Software updates on laptops, desktops, and smartphones, and firmware updates on IoT devices are expected in the coming weeks.