People see me with my wired headset and think I'm silly. I see them with their Bluetooth and think words much more offensive. The hacking methods are "not" limited to what's described here.
Yet another bluetooth hacking technique has been uncovered.
A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.
The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.
The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.
Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.
Since this specification is optional, some vendors' Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.
In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.
Here's what the Bluetooth Special Interest Group (SIG), the maintainers of the technology, says about the flaw:
According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.
The ECDH key exchange involves a private and a public key, and the public keys are exchanged to produce a shared pairing key.
The devices must also agree on the elliptic curve parameters being used, but in some implementations, these parameters are not sufficiently validated, allowing remote attackers within wireless range "to inject an invalid public key to determine the session key with high probability."
To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.
Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.
The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.
Also Read: BlueBorne Attack Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking
So far, Apple, Broadcom, Intel, and Qualcomm have been found including affected Bluetooth chipsets in their devices, while Google, Android, and Linux have yet to confirm the existence of the vulnerability in their respective products. Microsoft products are not vulnerable.
Apple and Intel have already released patches for this security vulnerability. Apple fixed the bug with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.
Yet another bluetooth hacking technique has been uncovered.
A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.
The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.
The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.
How the Bluetooth Hack Works?
Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.
Since this specification is optional, some vendors' Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.
In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.
Here's what the Bluetooth Special Interest Group (SIG), the maintainers of the technology, says about the flaw:
"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure."On Monday, CERT/CC also released a security advisory, which includes additional technical details about the Bluetooth vulnerability and attack method.
"The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."
According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.
The ECDH key exchange involves a private and a public key, and the public keys are exchanged to produce a shared pairing key.
The devices must also agree on the elliptic curve parameters being used, but in some implementations, these parameters are not sufficiently validated, allowing remote attackers within wireless range "to inject an invalid public key to determine the session key with high probability."
Stop Bluetooth Hacking—Install Patches from Vendors
To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.
Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.
The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.
Also Read: BlueBorne Attack Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking
Apple, Broadcom, Intel, and Qualcomm Found Affected
So far, Apple, Broadcom, Intel, and Qualcomm have been found including affected Bluetooth chipsets in their devices, while Google, Android, and Linux have yet to confirm the existence of the vulnerability in their respective products. Microsoft products are not vulnerable.
Apple and Intel have already released patches for this security vulnerability. Apple fixed the bug with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.
