Apple, Intel and Qualcomm patch Bluetooth implementation leak

Several major companies, including Apple, Intel, Broadcom and Qualcomm, have patched a leak in their Bluetooth implementation. That made it possible for an attacker to decipher encrypted Bluetooth traffic and inject messages. Patches have already been released.

The American CERT has published a warning with an overview of the actions of the companies, for example Apple. The manufacturers released patches in June and July. The vulnerability in the implementations, labeled CVE-2018-5383, is related to connection building. Bluetooth uses an elliptic curve Diffie-Hellman key exchange, which is subject to certain requirements. In some implementations, such as those of the aforementioned companies, certain parameters are not validated, making it relatively easy for an attacker in range to retrieve the session key. For example, the attacker can intercept Bluetooth traffic and inject malicious messages.

Microsoft’s implementation has not been affected, according to the Cert, and it is unclear what the status of Android, Google and the Linux kernel is. The Bluetooth SIG Steering Committee has also issued a warning, stating that the organization is not aware of any misuse of the vulnerability. It credits its discovery to two researchers at the Israel Institute of Technology, Lior Neumann and Eli Biham.

About the attack, it writes: “The attacker’s device would have to intercept the public key exchange by blocking any transmission and send an acknowledgment to the sending device, then inject malicious packets towards the receiving device within a short period of time. If only one of the two devices is vulnerable, the attack cannot succeed.” The organization has updated the Bluetooth specification and says it will test for the vulnerability during the certification process.