Big bad Bluetooth blunder bug battered – check for security fixes

Crypto cockup lets middle-people spy on connections after snooping on device pairing

With a bunch of security fixes released and more on the way, details have been made public of a Bluetooth bug that potentially allows miscreants to commandeer nearby devices.

This Carnegie-Mellon CERT vulnerability advisory on Monday laid out the cryptographic flaw: firmware or operating system drivers skip a vital check during a Diffie-Hellman key exchange between devices.

The impact: a nearby eavesdropper could “intercept and decrypt and/or forge and inject device messages” carried over Bluetooth Low Energy and Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) wireless connections between gizmos.

In other words, you can potentially snoop on supposedly encrypted communications between two devices to steal their info going over the air, and inject malicious commands. To pull this off, you must have been within radio range and transmitting while the gadgets were initially pairing.


The security weakness crept into pairing implementations that use Diffie-Hellman key exchanges. During pairing, the two devices are meant to create a shared secret key based on an exchange of their public keys, and during that process, the two ends of the conversation agree on the elliptic curve parameters they use.

Some implementations don't validate all the elliptic curve parameters, and that lets an attacker “inject an invalid public key to determine the session key with high probability,” the CERT note explained. “Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages.”

This security shortcoming affects devices that use Secure Simple Pairing and LE Secure Connections. The Bluetooth Special Interest Group, which oversees the communication protocol's standards, said it will update its specifications to prevent goofy implementations:

Researchers at the Israel Institute of Technology identified a security vulnerability in two related Bluetooth features: Secure Simple Pairing and LE Secure Connections.

The researchers identified that the Bluetooth specification recommends, but does not require, that a device supporting the Secure Simple Pairing or LE Secure Connections features validate the public key received over the air when pairing with a new device.

It is possible that some vendors may have developed Bluetooth products that support those features but do not perform public key validation during the pairing procedure. In such cases, connections between those devices could be vulnerable to a man-in-the-middle attack that would allow for the monitoring or manipulation of traffic.

So far, makers of affected Bluetooth chipsets include Apple, Broadcom, Intel, and Qualcomm.

The bug's status in Android is confusing: while it doesn't appear in the operating system project's July monthly bulletin, phone and tablet manufacturers like LG and Huawei list the bug as being patched in the, er, July security update. Microsoft has declared itself in the clear.

The CERT note says fixes are needed both in software and firmware, which should be obtained from manufacturers and developers, and installed – if at all possible. We're guessing for random small-time Bluetooth gizmos, it won't be very easy to prise an update out of the vendors, although you should have better luck with bigger brand gear.

So, make sure you're patched via the usual software update mechanisms, or just look out for nearby snoops, and be ready to thwart them, when pairing devices. Manufacturers were warned in January, it appears, so have had plenty of time to work on solutions.

Indeed, silicon vendor patches for CVE-2018-5383 are already rolling out among larger gadget and device makers, with Lenovo and Dell posting updates in the past month or so.

Linux versions prior to 3.19 don't support Bluetooth LE Secure Connections and are therefore not vulnerable, we're told. ®

Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head of engineering weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022