New Bluetooth vulnerability affects all devices and could allow an attacker to snoop on your data

By Shubham Sharma | Updated 26 Jul 2018
New Bluetooth vulnerability affects all devices and could allow an attacker to snoop on your data
  • Devices made by vendors like Apple, Intel, Broadcom, and some Android devices are reportedly affected by the Bluetooth bug.

Computer Emergency Response Team (CERT) has published a report on a serious Bluetooth vulnerability, which not only affects smartphones, but other devices like tablets, laptops and basically most Bluetooth enabled devices. The bug was discovered by Lior Neumann and Eli Biham of the Israel Institute of Technology and it is tracked by the number CVE-2018-5383. There is apparently an issue with the data encryption process when data is transferred between two devices and this allows an attacker in near vicinity to capture and decrypt the data being shared via Bluetooth. “An unauthenticated, remote attacker within range may be able to utilize a man-in-the-middle network position to determine the cryptographic keys used by the device. The attacker can then intercept and decrypt and/or forge and inject device messages,” explains CERT. 

advertisements

As per the report, the bug is confirmed to affect Broadcom, Intel, Apple, and Qualcomm hardware, and some other Android-powered handsets. It affects Bluetooth's both, Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software Pairing and LE Secure Connections. The problem arises because of a security weakness in key exchanges (Diffie-Hellman key exchanges) that happens when two devices establish a Bluetooth connection. 

The patch is said to be rolling out for devices and for Android, the issue is addressed with the June security patch. For macOS users, Apple has already released a patch for the vulnerability earlier this month. Microsoft is not affected by the bug. The Register’s reports that manufacturers like Lenovo and Dell are working on the patch for the issue and have posted updates in the past month and so. As Linux versions prior to 3.19 don't support Bluetooth LE Secure Connections, they are said to be unaffected by the vulnerability. The CERT article states that fixes are needed both in software and firmware. One should check if there is a software update available for their device to patch the issue.  

advertisements
Shubham Sharma
Working on a miniaturised version of the Arc Reactor.
advertisements
ASK DIGIT

Recent Questions

How to install and use WhatsApp on your PC.
Rajinder Kumar
Sept 4, 2014
Responses 3
Lalrindika Ralte
Sept 4, 2014
Vivek Bhatt
Sept 5, 2014
Hina
Sept 7, 2014
Comments
Be the first one to post the comment
Post a New Comment
You must be signed in to post a comment
advertisements