Eli Biham and Lior Neumann from the Israel Institute of Technology have identified a Bluetooth vulnerability that has the potential to allow a nearby hacker to gain unauthorized access to your device. The published research paper on the CERT website says that the encryption vulnerability in the Bluetooth firmware implementation affects devices from vendors like Apple, Broadcom, Intel, Qualcomm, and some Android smartphone makers. As per the research, Microsoft devices were not affected by this vulnerability.
The Bluetooth encryption bug affects Bluetooth Low Energy “Secure Connections” as well as “Secure Simple Pairing” pairing processes.
Bluetooth Special Interest Group (SIG) also confirmed about the vulnerability, but suggested that it isn’t too dangerous. It said that “some vendors may have developed Bluetooth products that support those features but do not perform public key validation during the pairing procedure”, but to take advantage of the vulnerability an attacker would need to be present when two devices start the pairing process.
Their website noted, “for an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.”
Even Intel has published about the vulnerability and as per Intel, “a vulnerability in Bluetooth(R) pairing potentially allows an attacker with physical proximity (within 30 meters) to gain unauthorized access via an adjacent network, intercept traffic and send forged pairing messages between two vulnerable Bluetooth(R) devices. This may result in information disclosure, elevation of privilege and/or denial of service.”
Apple has already pushed a fix for the bug for the following – macOS High Sierra 10.13.5/10.13.6, iOS 11.4, tvOS 11.4, and watchOS 4.3.1. The vulnerability said to have affected Apple devices from 18 January, 2018 to 23 July, 2018. Dell has also pushed out driver updates to fix the flaw.
Vivo NEX First Look
Microsoft has confirmed that its products aren’t affected. Qualcomm Inc.’s devices were affected for a very brief period of time from 18 January, 2018 to 6 February, 2018.