Bluetooth pairing has a security hole. Get ready for updates

Bluetooth SIG

When you pair a couple of
devices, like your phone and computer, they exchange encryption keys. But it turns out the Bluetooth specification didn’t require that both of them completely validate those keys. Well, it does now. 

This comes after it was revealed Tuesday that an attacker within wireless reach could insert themselves into communications between the two devices if both failed to properly validate the keys. That’s according to the Bluetooth SIG and Carnegie Mellon’s CERT, with some updates catalogued by ZDNet. 

Luckily, it doesn’t work if at least one of the devices does its due diligence validating all the elliptic curve parameters during the  Diffie-Hellman (ECDH) key exchange (CVE-2018-5383), and a lot of manufacturers have already patched their devices. 
updated MacOS for El Capitan and later, plus the fix is in iOS 11.4. 
has provided updated Bluetooth drivers for
Windows 7
, 8.1 and 10. However, some patches need to come from your device’s manufacturer — Broadcom released a patch in June, for example, but those updates need to trickle down.
already released Qualcomm’s patch, as has Lenovo.

If you’re not on an autoupdate cycle, you should probably check for updates with your phone or system manufacturer. 

The security flaw won’t matter if you’re, say, connecting your Xbox controller to your PC, or your camera to your phone, and the Bluetooth SIG says it’s unaware of any actual incidents related to the flaw. But Bluetooth file transfers are becoming more popular and tools like Apple’s Handoff use Bluetooth for the connection while transferring files over Wi-Fi. You may be typing sensitive information on your Bluetooth keyboard. And while it requires proximity for someone to fool with the data connection, given how many Bluetooth devices frustratingly require repeated re-pairings, the probability of that rises.

We’ve reached out to Apple and
 for comment but didn’t immediately hear back. Broadcom and
confirmed they’ve issued patches.

Source link

Leave a Reply

Subscribe to our newsletter

Join our monthly newsletter and never miss out on new stories and promotions.
Techhnews will use the information you provide on this form to be in touch with you and to provide updates and marketing.

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at We will treat your information with respect.

%d bloggers like this: