Sponsored By

Is Bluetooth Vulnerable?Is Bluetooth Vulnerable?

A recent security notice points to yes.

Gary Audin

July 27, 2018

4 Min Read
No Jitter logo in a gray background | No Jitter

When I first encountered Bluetooth years ago I thought of it as a simple low bandwidth short distance wireless technology. It's proven to be much more popular than I expected. The application of Bluetooth now encompasses printers, keyboards, computer mice, scanners, laptops, tablets, phones, cars, headsets, and probably IoT devices.

I'm sure most people think of Bluetooth as a commodity technology and not something about which to be concerned. However, a recent security vulnerability notice has pointed out that Bluetooth firmware and operating system software drivers may not sufficiently validate and generate public keys. This may allow a remote attacker to obtain the encryption key used by that device.

How Bluetooth Works
Bluetooth is a wireless data transmission technology using the same frequency as Wi-Fi. It's a standard for operating over short distances, about 30 feet, from fixed and mobile devices. It was invented by an electrical engineer working for telecom vendor Ericsson in 1994. It was originally designed as a wireless alternative to RS-232 data cables.

CERT Coordination Center
The Computer Emergency Response Team (CERT) Coordination center recently published a vulnerability note that concerns Bluetooth implementations that may not be properly validating Diffie-Hellman (ECDH) key exchanges. To explain, ECDH key pairs consist of a private and public key. The public keys are exchanged to produce a shared pairing key. The notice is saying that ECDH parameters are not always validated before being used, which makes it easier for malicious parties to obtain access to private keys.

Discovering the Vulnerability
This Bluetooth vulnerability was identified by researchers at the Techion Israel Institute of Technology. Specifically, they discovered that the Bluetooth specification doesn't require devices supporting the Secure Simple Pairing or LE Secure Connections features to validate the public key received when pairing with a new device. It's speculated that some vendors may have developed Bluetooth products that support those features but do not perform public key validation during the pairing procedure.

Connections between two devices are vulnerable to a man-in-the-middle attack that allows the monitoring and manipulation of transmissions. An attacking device needs to be within wireless range (about 30 feet) of the two vulnerable Bluetooth devices. The attacking device needs to intercept the public key exchange by blocking each transmission. The attacker then returns an acknowledgement to the sending device. The attacking device sends a malicious packet to the receiving device. If one device has the vulnerability but not the second device, then the attack will be unsuccessful.

Vulnerability Remedy
The Bluetooth Special Interest Group (SIG) updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures. Bluetooth SIG has added testing for this vulnerability within its Bluetooth Qualification Program.

I've found no evidence that the vulnerability has been exploited maliciously. Bluetooth SIG is unaware of any devices implementing the attack having been developed. However, now that the vulnerability is public knowledge, I expect there will be attempts to take advantage of this vulnerability. Bluetooth SIG is also communicating details on this vulnerability and its remedy to its members, encouraging them to rapidly integrate any necessary patches. Bluetooth users should also ensure they have installed the latest recommended updates from the device and operating system vendors (See "Bluetooth SIG Security Update"posted at the Bluetooth website).

Vendor Vulnerability Status
At the time of the vulnerability notice posting by CERT (July 23, 2018), some vendors are releasing patches while others are unknown in their status. See the chart below.

portable

Vendor Status from Vulnerability Note



Bluetooth applications are pervasive. A security issue with Bluetooth pairing, with an impact on data transmission, simply cannot be ignored. You need to contact the vendors of any devices that have Bluetooth capability. Look for patches and firmware changes that will fix this problem.

You may have trouble finding out how many devices supporting Bluetooth that you own. Many organizations do not inventory the Bluetooth capabilities of the devices, since in most cases they assume it's a very short distance transmission range and therefore would be less vulnerable to attacks. But the threat is still there. This is not something that can be taken care of later, since the population of Bluetooth devices is enormous.

Related content:

About the Author

Gary Audin

Gary Audin

Gary Audin is the President of Delphi, Inc. He has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks as well as VoIP and IP convergent networks in the U.S., Canada, Europe, Australia, Asia and Caribbean. He has advised domestic and international venture capital and investment bankers in communications, VoIP, and microprocessor technologies.

For 30+ years, Gary has been an independent communications and security consultant. Beginning his career in the USAF as an R&D officer in military intelligence and data communications, Gary was decorated for his accomplishments in these areas.

Mr. Audin has been published extensively in the Business Communications Review, ACUTA Journal, Computer Weekly, Telecom Reseller, Data Communications Magazine, Infosystems, Computerworld, Computer Business News, Auerbach Publications and other magazines. He has been Keynote speaker at many user conferences and delivered many webcasts on VoIP and IP communications technologies from 2004 through 2009. He is a founder of the ANSI X.9 committee, a senior member of the IEEE, and is on the steering committee for the VoiceCon conference. Most of his articles can be found on www.webtorials.com and www.acuta.org. In addition to www.nojitter.com, he publishes technical tips at www.Searchvoip.com.

See more from Gary Audin

Editor's Spotlight

How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
Ccaas
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations

Dec 16, 2024

How Talkdesk Delivers for Vertical Industries
Ccaas
How Talkdesk Delivers for Vertical Industries
How Talkdesk Delivers for Vertical Industries

Dec 5, 2024

How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
Ccaas
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity

Dec 17, 2024

Subscribe to Our Weekly Newsletters
Stay informed and sign up for weekly No Jitter and WorkSpace Connect newsletters
Sign Me Up
Mar 17 - Mar 20, 2025
As the #1 communications, collaboration and CX Conference and Expo in North America, we empower IT professionals to confront and overcome today's most pressing challenges. Attend Enterprise Connect and join thousands of like-minded peers building a framework for future success. You’ll walk away with rich learning experiences, invaluable connections, business opportunities, and inspiring insights. Register with Promo Code CONNECT25 to save $200 on Conference passes.
Learn More