Researchers Eli Biham and Lior Neumann have discovered a vulnerability in two Bluetooth features that could be exploited by attackers to gain a man-in-the-middle position and to monitor and fiddle with the traffic between two devices connected via that wireless technology.

“Both Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software and BR/EDR implementations of Secure Simple Pairing in device firmware may be affected,” the Carnegie-Mellon CERT notes.

The vulnerability (CVE-2018-5383) exists because the Bluetooth specification recommends, but does not require, that a device supporting the Secure Simple Pairing or LE Secure Connections features validate the public key received over the air when pairing with a new device.

Risk and mitigation

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth Special Interest Group (SIG) explained.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability. ”

The organization has updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures, and is urging vendors to make the required changes to software (OSes and drivers) and firmware (IoT devices) to plug the security hole.

It seems that the bug affects Bluetooth implementations and operating system drivers of a number of vendors, including Apple, Broadcom, Intel and Qualcomm.

Apple has updated the documents regarding the security updates included in iOS 11.4, tvOS 11.4, watchOS 4.3.1, macOS High Sierra 10.13.5 and 10.13.6, Sierra and El Capitan (released in May and July 2018) to include the reference to the vulnerability, as it has been silently patched.

Dell has also pushed out driver updates to fix the flaw.

Microsoft has confirmed that its products aren’t affected by this vulnerability.