Vulnerability capable of intercepting and tampering with Bluetooth communication is discovered, affecting multiple OS / devices

In Bluetooth, which are widely used such as smart phones and PC as a wireless communication standard, the attacker in the vicinity of the target, even if the communication intercept and monitor regardless of the not authenticated, and there is a vulnerability that can be tampered with, Israel Institute of Technology The university researchers have reported.

New Bluetooth Hack Affects Millions of Devices from Major Vendors
https://thehackernews.com/2018/07/bluetooth-hack-vulnerability.html

Bluetooth SIG Security Update | Bluetooth Technology Website
https://www.bluetooth.com/news/unknown/2018/07/bluetooth-sig-security-update

In Bluetooth version 4.0 and later, there are two types of wireless standards, BR / EDR and LE, each of which has different specifications of security. Researchers at the Israel Institute of Technology reported vulnerability " CVE-2018-5383 " related to two functions, LE Secure Connection Pairing and BR / EDR Secure Simple Pairing.

When pairing with LE secure connection between Bluetooth-compatible devices or BR / EDR secure simple pairing, share the key with the protocol " elliptic curve Diffie · Hellman key sharing ". We use the "elliptic curve parameter" to generate the public key, but if both devices do not verify this parameter , the attacker can take a man- in-the- middle attack within the wireless communication range, Malicious packets can be sent. It is pointed out that an attacker could get an encryption key and intercept and tamper with Bluetooth communication.

by Mirko Pagano

To improve this vulnerability, Bluetooth Special Interest Group (SIG), who is responsible for maintaining Bluetooth technology, updated Bluetooth specifications and changed the device to verify parameters and public keys received by pairing It announces.

CVE - 2018 - 5383 affects drivers of major vendors such as Apple, Intel, Qualcomm, Broadcom, and firmware and OS drivers. According to the Bluetooth SIG, we have not confirmed cases where this vulnerability was exploited, but we urge each vendor and manufacturer to apply the necessary patches promptly. In addition, users using Bluetooth devices are calling for confirmation of the latest update of PCs and devices being used.