CVE-2018-5383 affects firmware or OS drivers from Apple, Broadcom, Intel and Qualcomm. At the time of writing, the implications of the bug on Google Android and Linux are unknown.
The researchers realised that the Bluetooth® specification does not mandate devices supporting there two features to validate the public encryption key that is the handshake for over-the-air during. As the Diffie-Hellman key exchange is optional, some vendors have not validated the elliptical curve parameters used in the exchange. Because of this, a Man In The Middle attack is possible for someone within Bluetooth® range of the target device(s). This would allow them to access all data thought by the user to be encrypted as well as the ability to perform malware injections.
The Bluetooth® SIG have issued the following statement:
"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth® devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."
How to stop Bluetooth® hacks
The Bluetooth® SIG has updated the specification to make the public key validation mandatory. They claim there is no evidence of malicious exploitation of the bug.
Patches will be needed and users should obtain these directly from vendors. Apple and Intel have already patched this.
More articles in Security
- Is it about time the insurance sector embraced the cloud?
- The importance of ISO 27001
- Cloud Security: An Essential Guide
- On premise vs. the cloud: What is the future for the financial sector?
- Is your hosting provider solving your big data problems?
- Is the Middle East cloud market set for rapid growth?
- Hyve Managed Hosting is named by The Sunday Times as one of the fastest growing private companies in the UK
- Can the cloud lead the way on tackling climate change?
- Jon Lucas of Hyve Managed Hosting: 5 Things You Need To Know To Create a Successful App or SaaS
- Is managed private cloud the future?
- World Backup Day 2021
- What is Private Cloud?
- Reshaping the future of remote work
- Why accreditations matter when choosing a hosting provider
- 3 reasons to consider the location of your data
- Is London the new Silicon Valley?
- What is HPC and who uses it?