For years, there has been a serious weakness in the Bluetooth specification that meant any attacker within range of target devices could jump in the middle of their pairing communication and then intercept traffic between them.
The issue is with the way that devices handle the cryptographic key exchange portion of the pairing process. When two Bluetooth-enabled devices try to connect, they need to establish an encrypted connection and they do that through the elliptic curve Diffie-Hellman (ECDH) key exchange protocol. The devices exchange public keys and then derive a shared key. But researchers found that some implementations of the Bluetooth specification don’t validate the public key during this process, meaning that an attacker could insert his own public key into the pairing process and then have a man-in-the-middle position to passively intercept and decrypt traffic between the devices.
“In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages,” the CERT/CC at Carnegie Mellon University said in an advisory about the Bluetooth weakness.
The vulnerability affects devices from a number of manufacturers, including Apple, Broadcom, Intel, and Qualcomm. Apple issued a patch for the bug in its products earlier this month, and Intel recommends that users of devices with affected chips update the drivers from their vendors.
“There is no evidence that the vulnerability has been exploited maliciously."
An attacker would need to be within Bluetooth pairing range in order to execute an attack on this weakness, and also would need to be present during the pairing process. The Bluetooth SIG, which is responsible for the specification, said both devices in a pairing handshake would need to be vulnerable in order for the attack to work.
“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the group said.
“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability.”
The Bluetooth SIG has updated the specification so that it now requires that devices validate public keys during the pairing process.