Is Bluetooth Vulnerable?

When I first encountered Bluetooth years ago I thought of it as a simple low bandwidth short distance wireless technology. It's proven to be much more popular than I expected. The application of Bluetooth now encompasses printers, keyboards, computer mice, scanners, laptops, tablets, phones, cars, headsets, and probably IoT devices.

I'm sure most people think of Bluetooth as a commodity technology and not something about which to be concerned. However, a recent security vulnerability notice has pointed out that Bluetooth firmware and operating system software drivers may not sufficiently validate and generate public keys. This may allow a remote attacker to obtain the encryption key used by that device.

How Bluetooth Works

Bluetooth is a wireless data transmission technology using the same frequency as Wi-Fi. It's a standard for operating over short distances, about 30 feet, from fixed and mobile devices. It was invented by an electrical engineer working for telecom vendor Ericsson in 1994. It was originally designed as a wireless alternative to RS-232 data cables.

CERT Coordination Center

The Computer Emergency Response Team (CERT) Coordination center recently published a vulnerability note that concerns Bluetooth implementations that may not be properly validating Diffie-Hellman (ECDH) key exchanges. To explain, ECDH key pairs consist of a private and public key. The public keys are exchanged to produce a shared pairing key. The notice is saying that ECDH parameters are not always validated before being used, which makes it easier for malicious parties to obtain access to private keys.

Discovering the Vulnerability

This Bluetooth vulnerability was identified by researchers at the Techion Israel Institute of Technology. Specifically, they discovered that the Bluetooth specification doesn't require devices supporting the Secure Simple Pairing or LE Secure Connections features to validate the public key received when pairing with a new device. It's speculated that some vendors may have developed Bluetooth products that support those features but do not perform public key validation during the pairing procedure.

Connections between two devices are vulnerable to a man-in-the-middle attack that allows the monitoring and manipulation of transmissions. An attacking device needs to be within wireless range (about 30 feet) of the two vulnerable Bluetooth devices. The attacking device needs to intercept the public key exchange by blocking each transmission. The attacker then returns an acknowledgement to the sending device. The attacking device sends a malicious packet to the receiving device. If one device has the vulnerability but not the second device, then the attack will be unsuccessful.

Vulnerability Remedy

The Bluetooth Special Interest Group (SIG) updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures. Bluetooth SIG has added testing for this vulnerability within its Bluetooth Qualification Program.

I've found no evidence that the vulnerability has been exploited maliciously. Bluetooth SIG is unaware of any devices implementing the attack having been developed. However, now that the vulnerability is public knowledge, I expect there will be attempts to take advantage of this vulnerability. Bluetooth SIG is also communicating details on this vulnerability and its remedy to its members, encouraging them to rapidly integrate any necessary patches.

Bluetooth users should also ensure they have installed the latest recommended updates from the device and operating system vendors (See "Bluetooth SIG Security Update"posted at the Bluetooth website).

Vendor Vulnerability Status

At the time of the vulnerability notice posting by CERT (July 23, 2018), some vendors are releasing patches while others are unknown in their status. See the chart below.

portable

Vendor Status from Vulnerability Note

Bluetooth applications are pervasive. A security issue with Bluetooth pairing, with an impact on data transmission, simply cannot be ignored. You need to contact the vendors of any devices that have Bluetooth capability. Look for patches and firmware changes that will fix this problem.

You may have trouble finding out how many devices supporting Bluetooth that you own. Many organizations do not inventory the Bluetooth capabilities of the devices, since in most cases they assume it's a very short distance transmission range and therefore would be less vulnerable to attacks. But the threat is still there. This is not something that can be taken care of later, since the population of Bluetooth devices is enormous.

Related content: