A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.
The flaw, discovered by researchers at the Israel Institute of Technology and tracked as CVE-2018-5383, is related to the Secure Simple Pairing and LE Secure Connections features.
According to the Bluetooth Special Interest Group (SIG), whose members maintain and improve the technology, Bluetooth specifications recommend that devices supporting the two features validate the public key received during the pairing process. However, this is not a requirement and some vendors’ Bluetooth products do not perform public key validation.
An unauthenticated attacker who is in Bluetooth range of the targeted devices during the pairing process can launch a man-in-the-middle (MitM) attack and obtain the encryption key, which allows them to intercept traffic and forge or inject device messages.
“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth SIG explained.
Additional technical details about the vulnerability and attack method were made public on Monday by CERT/CC.
The Bluetooth SIG says it has now updated specifications to require products to validate public keys. The organization has also added testing for this vulnerability to its Bluetooth Qualification Process, which all products that use Bluetooth must complete.