CVE-2018-5383 affects firmware or OS drivers from Apple, Broadcom, Intel and Qualcomm. At the time of writing, the implications of the bug on Google Android and Linux are unknown.
The researchers realised that the Bluetooth® specification does not mandate devices supporting there two features to validate the public encryption key that is the handshake for over-the-air during. As the Diffie-Hellman key exchange is optional, some vendors have not validated the elliptical curve parameters used in the exchange. Because of this, a Man In The Middle attack is possible for someone within Bluetooth® range of the target device(s). This would allow them to access all data thought by the user to be encrypted as well as the ability to perform malware injections.
The Bluetooth® SIG have issued the following statement:
"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth® devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."
How to stop Bluetooth® hacks
The Bluetooth® SIG has updated the specification to make the public key validation mandatory. They claim there is no evidence of malicious exploitation of the bug.
Patches will be needed and users should obtain these directly from vendors. Apple and Intel have already patched this.
- How can businesses use the cloud to reduce their carbon emissions?
- 3 public sector cybersecurity threats – and how to prevent them
- Why digital agencies need a managed hosting provider
- 5 ways the cloud saved education during the pandemic
- Hyve Managed Hosting wins “Company of the Year” at the Brighton and Hove Business Awards
- Is it about time the insurance sector embraced the cloud?
- The importance of ISO 27001
- Cloud Security: An Essential Guide
- On premise vs. the cloud: What is the future for the financial sector?
- Is your hosting provider solving your big data problems?
- Is the Middle East cloud market set for rapid growth?
- Hyve Managed Hosting is named by The Sunday Times as one of the fastest growing private companies in the UK