Notebookcheck
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 

New critical Bluetooth exploit discovered

The latest Bluetooth vulnerability affects smartphones as well as laptops integrating Intel/Broadcom/Qualcomm Bluetooth-enabled hardware. (Source: Cubot Blog)
The latest Bluetooth vulnerability affects smartphones as well as laptops integrating Intel/Broadcom/Qualcomm Bluetooth-enabled hardware. (Source: Cubot Blog)
The latest Bluetooth vulnerability may affect many more devices than last year's BlueBorne, because it can affect smartphones as well as laptops that integrate Apple, Google, Intel, Broadcom or Qualcomm hardware. Due to insufficient encryption validation during the pairing process. Microsoft claims that Windows 10 is not affected, but all the other companies are releasing fixes as soon as possible.
Bogdan Solca,
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 

Last year, Google identified a severe Bluetooth security flaw codenamed BlueBorne that allowed hackers to access any device that had Bluetooth enabled. Even though the vulnerability was patched relatively fast, it seems that the troubles with Bluetooth-enabled devices is not over yet. Just recently, another security exploit was discovered, this time affecting smartphones as well as laptops that integrate Apple, Broadcom, Intel and Qualcomm hardware. Microsoft stated that Windows 10 is not affected, while Google Android, Linux, iOS and macOS are still at risk.

According to CERT, the new security flaw makes use of features like “Secure Simple Pairing” and Low Energy "Secure Connections.” Here is how the security flaw can affect Bluetooth-enabled devices that do not sufficiently validate encryption parameters during the pairing process:

"Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must also agree on the elliptic curve parameters being used.

In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages."


Apple just issued patches to fix this problem, and users are advised to install the macOS High Sierra 10.13.5, iOS 11.4 (disclosed on July 23), watchOS 4.3.1, and tvOS 11.4. Likewise, Intel stated that a patch for its Wireles-AC family has been released, while Google’s Chrome OS and Android will receive an update as soon as possible. Broadcom and Qualcomm also released fixes to their OEM partners and these should be available in the next days.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 
Bogdan Solca
Bogdan Solca - Senior Tech Writer - 1575 articles published on Notebookcheck since 2017
I first stepped into the wondrous IT&C world when I was around seven years old. I was instantly fascinated by computerized graphics, whether they were from games or 3D applications like 3D Max. I'm also an avid reader of science fiction, an astrophysics aficionado, and a crypto geek. I started writing PC-related articles for Softpedia and a few blogs back in 2006. I joined the Notebookcheck team in the summer of 2017 and am currently a senior tech writer mostly covering processor, GPU, and laptop news.
contact me via: Facebook
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2018 07 > New critical Bluetooth exploit discovered
Bogdan Solca, 2018-07-25 (Update: 2018-07-25)