A large number of device manufacturers pose a serious vulnerability in the Bluetooth specification that allows attackers to capture and manipulate data exchanged wirelessly. People using Bluetooth to connect to smartphones, computers, or other security-sensitive devices should make sure they install a repair as soon as possible.
The attack, published in a publication published Wednesday, is serious because it allows people to perform a man-in-middle attack on vulnerable devices. From there, attackers can see exchanged data, which may include contacts stored on a device, keyboard keypad or sensitive information used by medical, point of sale or car equipment. Attackers can also push keystrokes on a Bluetooth keyboard to open a command window or malicious web site in a direct compromise of the connected phone or computer.
Bluetooth combines Simple Secure Pairing or LE Secure Connections with elliptical principles curve math to allow devices that have never been connected to securely establish a secret key needed for encrypted communication. The attack uses a newly developed variant of which cryptographs call an invalid curve attack to exploit a major shortcoming in the Bluetooth protocol as remained unknown for more than a decade. As a result, attackers can force the devices to use a known encryption key that allows to monitor and modify data wirelessly between them.
"This attack allows an attacker who can read and change Bluetooth traffic while mating, force the key to be something they know," said JP Smith, a security engineer and Bluetooth security expert at the security company Trail of Bits, to Ars. "It's not mathematical / theoretical novel at all, and it's actually the easiest attack you can do on the elliptical curve's cryptosystems. In particular, this is a protocol error, so if you implemented the bluetooth specification out of the book (without any optional validation), you have this error. "
The active man-in-middle attack that allows data to be modified successfully works on 50 percent of the connections while the rest fails. A corresponding passive attack affects 25 percent of the pairs. Attackers who do not succeed at first try, are free to try for later connections. Attacks work even when pairings require the user to enter a six-digit number displayed on one device in the other. Attacks require specialized hardware that probably will not be difficult for more advanced hackers to build or achieve.
The paper writes researchers from the Technion-Israel Institute of Technology:
We will point out two major design errors that make our attack possible. The first design error sends both the x-coordinate and the y-coordinate during the public key exchange. This is unnecessary and highly inappropriate since it greatly increases the attack surface, while calculating the y coordinate from a given x coordinate is simple.
The other major error is that while both the coordinates of the public keys are sent during the second phase of the pairing, the protocol only authenticates the x coordinate. We are not aware of any reason why designers decided to leave the y coordinate unauthorized, other than to save a small calculation effort. Although punctuality should be verified by implementation, our attack could also be avoided if both coordinates were approved.
Another minor mistake is that in the protocol designers, "To protect a device's private key, a device should implement a method to prevent an attacker from retrieving useful information about the device's private key using invalid public keys. For this purpose, a device may use one of the following methods. " In this quote, the description uses the term "should" (as opposed to "must"). Therefore, implementators can skip the instruction, as it is not mandatory for compliance with the specification.
A number of devices and software, including the MacOS, iOS, Android, LG and Huawei, have already received updates. In a FAQ, researchers said that Bluetooth from Microsoft "implemented an old version of the standard, which is even less sure, instead of the broken modern standard." A CERT advice is here.
In order for the attacks to succeed, both of the paired devices must be vulnerable. This means that as long as no one is patched, users are not susceptible. People using Bluetooth to transmit sensitive data or check trusted devices should ensure that they have installed updates on at least one of them. While patches are available to many common devices, there are probably many more specialized that are used in hospitals, stores and other environments that will remain unprotected for the foreseeable future. Users of these devices should check with manufacturers.