The new Bluetooth vulnerability allows remote mobile interception

Researchers at the Israel Institute of Technology have discovered a very critical cryptographic vulnerability, which affects some Bluetooth devices. This flaw gives way to the attack known as man-in-the-middle, where an unauthenticated remote attacker intercepts, controls, or manipulates traffic exchanged by nearby devices.

The vulnerability identified as CVE-2018-5383, affects two matching functions: low power Bluetooth (LE) pairing of secure connections and "Secure Simple Pairing" pairing [19659003] How does the Bluetooth Hack work?

According to the researchers, the Bluetooth specification recommends, but it does not force the devices compatible with both features, to validate the public encryption key received during the pairing.

Since this specification is optional, some vendors' Bluetooth products, which support both features, do not sufficiently validate elliptic curve parameters, used to generate public keys during Diffie-Hellman key exchange.

That's why, at the time of pairing, a hacker can launch a man-in-the-middle attack to get the cryptographic key used by the device, which makes him allows access to so-called encrypted terminals or computers and steal data.

Here's what the Bluetooth Special Interest Group (SIG) says about the fault:

For an attack to succeed, an attacker device would have to be in the wireless range of two vulnerable Bluetooth devices. , which went through a synchronization procedure. The attacking device must intercept the exchange of public keys by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet on the receiving device in a narrow time slot. If only one device has the vulnerability, the attack will not succeed.

Devices must also agree on the elliptic curve parameters used, but in some implementations these parameters are not sufficiently validated, allowing remote attackers in the wireless scope to "inject a public key invalid to determine the session key with a high probability. "

The DH algorithm specifies a public key exchange method that allows two peers to establish a shared secret key only they know, even if they communicate through an unsafe channel.

Companies like Apple, Broadcom, Intel and Qualcomm, have said that this cryptographic bug affects the firmware or drivers of the operating system software. Other big companies such as Google have not yet come forward.

To solve the problem, Bluetooth SIG has now updated the Bluetooth specification, to require that products validate public keys received as part of security based procedures. in public keys.