Bluetooth Bug that doesn’t sufficiently validate ECDH keys can leave your device Vulnerable!
Two Bluetooth security vulnerabilities have been found in the current Bluetooth device specifications. The two features that were found to be vulnerable to a cryptographic Bluetooth bug are Secure Simple Pairing and LE Secure Connections that is done between two Bluetooth enabled devices. This vulnerability has been tracked as CVE-2018-5383.
During a connection that is being established between two Bluetooth Capable Devices, the validation and encryption parameters do not sufficiently verify and validate the public keys which are exchanged during a Diffie-Hellman Key exchange.
It results in a weak pairing between the devices and leaves the communication between the devices open to attack from a remote attacker who might obtain the encryption key. This allows the attacker within range of the communicating Bluetooth devices to determine the cryptographic keys used by the pairing devices.
The pairing procedure used by a Bluetooth device is based on the Elliptic-curve Diffie-Hellman (ECDH) key exchange encryption algorithm. When two devices communicate each ECDH Key Pair on the devices consists of a private key and a public key. The Public keys are exchanged during the pairing and generate a shared pairing key for the communication to start.
The communicating devices trying to pair also need to agree to the Elliptic-curve parameters being used during the pairing of the devices. It has been highlighted by the researchers that ECDH Parameters used for the pairing are not always validated before generating the shared pairing key.
This lapse causes the attacker to easily target the communicating devices for a man-in-the-middle attack. The attacker requires less effort in obtaining the private key of the device due to the improper implementation of the validation and encryption parameters by the ECDH encryption algorithm.
Once the remote attacker gains access to the device, they can inject an invalid public key to determine session key, generated by the exchange of the public keys, with very high probability. The cyber attacker can then use the access to the device and passively intercept and decrypt messages or inject malicious messages.
The Simple Secure Pairing in device firmware may be affected in BR/EDR implementations and the Low energy (LE) implementations of Secure Connections Pairings in Operating System Software.
Bluetooth SIG has updated its Bluetooth specifications and every pairing communication now requires a validation of the public key when received as part of the public key exchange security procedures. This provides a remedy to this vulnerability from a specification perspective. The Bluetooth SIG has also added a testing program in its Bluetooth Qualifications Program.
The List of vendors affected by this Bluetooth Bug includes Apple, Intel, Broadcom and Qualcomm. Microsoft was unaffected by this Bluetooth bug and it is still unknown whether Android, Google, Linux kernel and Bluetooth SIG were affected by this vulnerability.
The Bluetooth SIG has issued a statement saying that there has been no malicious exploitation of the Bluetooth Bug as of now and the involved vendors have been notified to update and remedy their products including desktops, laptops, smartphones and IoT/Smart Devices by integrating the necessary patches in the firmware and the operating system software as required.