Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bluetooth Security Flaw Could Let Nearby Attacker Grab Your Private Data (zdnet.com)

Posted by BeauHD on from the order-to-go dept.

A recently discovered bug in many Bluetooth firmware and OS drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices. Researchers at the Israel Institute of Technology discovered the flaw, which was flagged today by Carnegie Mellon University CERT. It affects Bluetooth's Secure Simple Pairing and Low Energy Secure Connections. ZDNet reports: As the CERT notification explains, the vulnerability is caused by some vendors' Bluetooth implementations not properly validating the cryptographic key exchange when Bluetooth devices are pairing. The flaw slipped into the Bluetooth key exchange implementation which uses the elliptic-curve Diffie-Hellman (ECDH) key exchange to establish a secure connection over an insecure channel. This may allow a nearby but remote attacker to inject a a bogus public key to determine the session key during the public-private key exchange. They could then conduct a man-in-the-middle attack and "passively intercept and decrypt all device messages, and/or forge and inject malicious messages." Thankfully, patches are on the way. "Intel recommended users upgrade to the latest support driver and to check with vendors if they have provided one in their respective updates," reports ZDNet. "Dell has released a new driver for the Qualcomm driver it uses while Lenovo's update is for the flaw in Intel software. LG and Huawei have referenced fixes for CVE-2018-5383 in their respective July updates for mobile devices." It is not yet known if Android, Google, or the Linux kernel are affected. Apple has released a patch for the flaw earlier this month.

30 comments

  1. I'm not worried by Anonymous Coward · · Score: 2, Funny

    My BT mouse regularly loses connection with my computer sitting 1 meter away. If you can intercept it at 30 meters, you deserve to get all the private data I'm leaking ... about the position of the cursor on my screen.

    1. Re:I'm not worried by weilawei · · Score: 1

      On the flip side of that, I have an excellent pair of LG Bluetooth earbuds which I wear constantly and use to take calls while working or otherwise occupied. Frequently my phone is 20-30 feet away charging, and they work pretty reasonably out to that range. I'd like to keep my calls private (you're welcome to listen to my Pandora stations, if you have a Vogon taste in music).

      I didn't RTFA; and I barely skimmed TFS. Is there a list of known bad implementations?

    2. Re:I'm not worried by Anonymous Coward · · Score: 0

      But you know, when your cursor stops at the cross points of a typical composition and starts moving slightly up and down they will know what you're up to.

    3. Re:I'm not worried by drinkypoo · · Score: 1

      Bluesniper says thank you!

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:I'm not worried by Highdude702 · · Score: 1

      You mean when I bounce my leg and it moves the mouse? It is troublesome with a high DPI mouse. I end up click dragging things more than I get click through's when I do it.

    5. Re:I'm not worried by Anonymous Coward · · Score: 0

      Mouse cursors want what mouse cursors want.

  2. Already Fixed In Many Cases by WankerWeasel · · Score: 3, Informative

    Apple has already introduced a fix for the bug on its devices (in macOS High Sierra 10.13.5/10.13.6, iOS 11.4, tvOS 11.4, and watchOS 4.3.1), so iOS and Mac users do not need to worry. Intel, Broadcom, and Qualcomm have also introduced fixes, while Microsoft says its devices are not affected.

    1. Re:Already Fixed In Many Cases by DontBeAMoran · · Score: 1

      I don't think all Mac users are running the latest versions of the operating systems on all their devices.

      --
      #DeleteFacebook
    2. Re:Already Fixed In Many Cases by anss123 · · Score: 1

      True enough. My iPad can't update to iOS 11, it's stuck on 10, which presumably won't be patched. Not that it matters to me, I only use Bluetooth for music.

    3. Re:Already Fixed In Many Cases by Anonymous Coward · · Score: 0

      How about snooping in on phone conversations in vehicles? Apple is ONLY one of thousands. Even though they may issue a fix to their currently supported products they won't give an American dollar towards older products. Nor will they care if that 99% of people are aware of the issue and provide an easy method to update, let's say your automobile...

      Can't wait to hear what conversations are intercepted by Russia and the DumAsCrap party.

    4. Re:Already Fixed In Many Cases by Anonymous Coward · · Score: 0

      I can't upgrade my Mac to the latest OS simply due to some music production software I use that absolutely can not run on the latest and greatest. I keep that system pretty locked down though. Bluetooth is literally only used for the mouse and the wireless network is almost always turned off unless I have to update a specific piece of software or get a license refresh for my iLok.

      I'd feel differently about it if it were a laptop going out in public on a regular basis, but I feel relatively safe with my home system always being at the house. And if somebody can crack in through the bluetooth, more power to them. They can listen to my shitty music and read my abysmal novels. Teach them to break into my shit.

    5. Re:Already Fixed In Many Cases by Plumpaquatsch · · Score: 1

      I don't think

      That much is true. Apple of course also updated 10.12 and 10.11.

      --
      Of course news about a fake are Fake News.
  3. This is why I don't ... by CaptainDork · · Score: 2

    ... take showers.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:This is why I don't ... by Highdude702 · · Score: 1

      Currently I take a shower atleast once a year whether its needed or not. But with stuff like this coming to light, I may stretch this to once every decade. The privacy issues make me feel dirty however.

  4. Bluetooth needs to die by Anonymous Coward · · Score: 0

    Bluetooth never worked well, it seemed like the industry had too many voices when it was being developed.

    Bluetooth always disconnects, reconnection is a pain in the ass, connection or disconnection or pairing is entirely random. Bluetooth is was and will remain completely unfit for the consumer market, it was half baked and should not have been released. How people aren't launching a ton of civil suits for lemon laws I have no idea.

    Oh it has security flaws ontop of low battery life and connectivity issues? Well color me shocked.

    I find anything with a micro USB dongle usually has a AA battery life time of 8+ months and never any connectivity issues. Bluetooth was supposed to work like this but in practice it sucks batteries dry like a vampire and forgets everything like an old man with dementia.

    1. Re:Bluetooth needs to die by Anonymous Coward · · Score: 0

      Not only that, it has the tendency to not only crash itself, but to take the phone with it. It is also known for being unrecoverable without a system reboot, that is, if it didn't already force a reboot of the system to begin with.

  5. Wired by AHuxley · · Score: 1

    is the wise option as it always was. Who would open their devices to any stranger with wireless skills?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Wired by Gojira+Shipi-Taro · · Score: 1

      And completely unworkable for devices such as smartwatches, etc. I'm extremely careful what data I use on connections like that, and I do wired connections where possible on my home network, but seriously. Eschewing all wireless connections on the off chance that someone nearby is going to hack you is borderline Luddite. Just be mindful of what you're doing and where.

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
    2. Re:Wired by zlives · · Score: 1

      yeah security is like totally Luddite

    3. Re:Wired by Anonymous Coward · · Score: 0

      I dunno, paranoia is a mental condition we put people in the hospital for. Luddites are celebrated and we buy lots of sausage and well made wood furniture from them.

    4. Re:Wired by AHuxley · · Score: 1

      "mindful" is not really an option with a wireless connection anyone can connect with.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:Wired by demonlapin · · Score: 2

      Um, if it's not end-to-end encrypted with some pretty serious crypto that I trust, then I don't discuss anything important on it. You want to listen to me ask my wife if we need anything from the grocery, knock yourself out (while trying to stay within range of my car). Sensitive business stuff? No.

      Besides, TFA says that this only works if you have two vulnerable devices that are undergoing pairing. There are target-rich environments out there (e.g., the rental car lot at a major airport), but that doesn't strike me as a major attack vector unless you're the victim of a highly targeted state-sponsored attack, in which case you're probably screwed anyway.

  6. 30 metres? Make that 3 kilometres. by Anonymous Coward · · Score: 0

    Remember the car whisperer guys with their "long distance snarf"? Not the only ones to do that either. No reason why you couldn't do that here.

  7. And my car will get an update when? by Anonymous Coward · · Score: 0

    and so my phone conversations will be secured when if ever?

  8. I've had bluetooth off by Anonymous Coward · · Score: 0

    since the first time I've seen this headline, about 15 years ago.

  9. I never trust bluetooth anyways by Anonymous Coward · · Score: 0

    I talk with my phone to my head, and I only watch "sensitive" shit with cabled headphones.

  10. "Private key"? by Ungrounded+Lightning · · Score: 1

    TFA and the first paragraph of the CERT advisory it quotes talk about exposing the "private key".

    I'm not clear whether this is a misspeak, with the vunerable key being the session key, or if the parameter checking failure actually jeopardizes the private key of the attacked system.

    The latter is a MUCH bigger problem. If its only the session key that may be exposed, fixing the bug is all you need (unless the attacker was able to get into a service that let him view or alter the private key of the affected devices). If the private key was exposed and obtained, devices will need to be re-keyed.

    Does anyone looking into this have information to distinguish the two cases?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way