Decade-old Bluetooth Flaw Lets Hackers Steal Data Passing Between Devices
Serious error in the wireless protocol also lets hackers tamper with data.
A large number of device makers is patching a serious vulnerability in the Bluetooth specification that allows attackers to intercept and tamper with data exchanged wirelessly. People who use Bluetooth to connect smartphones, computers, or other security-sensitive devices should make sure they install a fix as soon as possible.
The attack, which was disclosed in a research paper published Wednesday, is serious because it allows people to perform a man-in-the-middle attack on the connection between vulnerable devices. From there, attackers can view any exchanged data, which might include contacts stored on a device, passwords typed on a keyboard, or sensitive information used by medical, point-of-sale, or automotive equipment. Attackers could also forge keystrokes on a Bluetooth keyboard to open up a command window or malicious website in an outright compromise of the connected phone or computer.
Bluetooth combines Simple Secure Pairing or LE Secure Connections with principles of elliptic curve mathematics to allow devices that have never connected before to securely establish a secret key needed for encrypted communications. The attack uses a newly developed variant of what cryptographers call an invalid curve attack to exploit a major shortcoming in the Bluetooth protocol that remained unknown for more than a decade. As a result, attackers can force the devices to use a known encryption key that allows the monitoring and modifying of data wirelessly passing between them.
“This attack lets an attacker who can read and modify Bluetooth traffic during pairing force the key to be something they know,” JP Smith, a security engineer and Bluetooth security expert at security firm Trail of Bits, told Ars. “It’s not mathematically/theoretically novel at all, and it’s in fact about the simplest attack you can do on elliptic curve cryptosystems. Notably, this is a protocol-level fault, so if you implemented the Bluetooth spec out of the book (without some optional validation), you have this bug.”
The active man-in-the-middle attack that allows data to be modified works successfully on 50 percent of the pairings, with the remainder failing. A related passive attack works on 25 percent of the pairings. Attackers who don't succeed on the first attempt are free to try on later pairings. Attacks work even when pairings require the user to type a six-digit number displayed on one device into the other one. Attacks require specialized hardware that probably wouldn’t be hard for more advanced hackers to build or obtain.
In the paper, researchers from Technion–Israel Institute of Technology write:
We would like to point out two major design flaws that make our attack possible. The first design flaw is sending both the x-coordinate and the y-coordinate during the public key exchange. This is unnecessary and highly inadvisable, since it greatly increases the attack surface, while calculating the y-coordinate from a given x-coordinate is simple.
The second major flaw is that although both coordinates of the public keys are sent during the second phase of the pairing, the protocol authenticates only the x-coordinate. We are not aware of any reason why the designers decided to leave the y-coordinate unauthenticated, other than for saving a tiny computational effort. Even though the point validity should be checked by the implementation, our attack could have also been avoided if both coordinates were authenticated.
Another less significant flaw is that in the protocol designers state that “To protect a device’s private key, a device should implement a method to prevent an attacker from retrieving useful information about the device’s private key using invalid public keys. For this purpose, a device can use one of the following methods.” In this quote, the specification uses the term “should” (as opposed to “must”). Therefore, implementors may skip the instruction as it is not mandatory for compliance with the specification.
A variety of devices and software—including those running macOS, iOS, or Android or made by LG or Huawei—have already received patches. In a FAQ, the researchers said Bluetooth from Microsoft “implements an old version of the standard, which is even less secure, rather than the broken contemporary standard.” An advisory from CERT is here.
For attacks to be successful, both of the paired devices must be vulnerable. That means as long as either one is patched, users aren’t susceptible. People who use Bluetooth to transmit sensitive data or control trusted devices should ensure they have installed patches on at least one of them. While patches are available for many mainstream devices, there are likely many more specialized ones used in hospitals, stores, and other environments that will remain unprotected for the foreseeable future. Users of these devices should check with manufacturers.
- Director of Sales Engineering
- Up to €110,000 plus bonus and benefits
Location: Paris Salary Upto €110,000 plus bonus and benefits Reference: RA 7382 Director of Sales Engineering This rapidly expanding Cloud Service company are looking for an experience Director of Sale Engineering (Pre sales), to help them expand both their customer base and also their sales engineering team, You will be responsible for managing a team spread across Europe, (France, Germany and UK currently 6) Your responsibilities will include : Organising and monitoring your pre-sales team activity in coordination with your management. Building and managing a pan European team. Making sure your team members are on track with company or individual KPIs. Managing your own set of customer/proposal Coordinating closely with Sales – you will work alongside Account Managers, serving as a technical lead for more standard solutions development. Assigning required resources to the Complex Solution team when required by your management. Working closely with the engineering and product teams to provide customer and market feedback Participating in the planning and execution of various partners facing activities. The role may include actively driving presentations creation or delivery, and general networking activities. As well as previous experience in leading a sales engineering/ presales team you will require both Telecommunications (MPLS, Ethernet,) and Cloud platforms (Azure, Aws, Oracle etc) knowledge.
- Product Manager - Access Controls
- £50,000 - £90,000
An Identity and Access Controls vendor are currently looking to bring on board an exceptional Product Manager with recent exposure around Access Controls and Identity Management. The particular portfolio this person would be responsible for is their Events and transportation Access controls solutions. Managing and overseeing Configuration and implementations of these solutions. The Product Manager would need previous experience within a similar product suite, particularly around Access Controls/ Identity & Access Management delivery programmes. Project size will vary from £200,000 to larger multi-million pounds, so someone with experience managing these sizes of projects is key. This will be a client facing position, so someone with strong customer engagement skills, and the willingness to travel will be essential. If you have any project management certifications, for example Prince2 Practitioner, This will be hugely advantageous. Due to some of the Engineering team being based in Italy, Someone with strong Italian speaking and listening skills will be a front runner, but this is not an essential skill. Unfortunately sponsorship can't be provided to non-eu candidates TC7774 Salary: £50,000 - £90,000 Location: London with travel Cyber Security Jobs | Information Security Jobs | Access Controls Jobs | IDAM Jobs | IAM Jobs | Identity And Access Management Jobs
- CyberArk Specialist
- Up to £90,000
We are currently working with an International Outsourcing business who are looking for a CyberArk Specialist to assist with a large scale Identity and Access Management rollout across large Financial institutions. This business is at the forefront of the financial services market, working alongside some of the largest banks globally, so this will be a great chance to be a key figure in large digital transformation projects. The CyberArk Specialist responsibilities for this role will to be the lead in the Configuration and Design of a Large Privileged Access Management rollout of the CyberArk suite. Solutions Design Client Engagement Liaison between the business and Technical teams If you have strong hands on CyberArk exposure and are looking to move into more of a Business led programme, this is a great opportunity to make that transition. The CyberArk Specialist will be mostly spent on client site, which is based in London. So the right individual will be commutable into Central London. Candidates must be based in the UK. Sponsorship can't be provided to non-eu applicants Salary: £Up to 90,000 Location: London REF: TC7773 CyberArk Jobs | Information Security Jobs | Cyber Security Jobs | IDAM Jobs | IAM Joba | Identity and Access Management Jobs
- Internal Cyber Security Consultant - Technology and Information Security
- Up to £60,000
CH7770 Internal Cyber Security Consultant - Technology and Information security Reading £60,000 Internal Cyber Security Consultant needed in Reading. If you have a blend of hands on experience between security technology solutions and information security and want to be the go to person within an organisation to drive, shape and maintain the security landscape then apply today. MUST be commutable to Reading The Internal Cyber Security Consultant role requires a blend of hands security technology and information security experience- advisory / implementing. Specifically Technology - Support, maintaining, configuring, analysing logs of internal Security technology. As well as identifying new technologies to implement into the business. Information Security - Ensuring policies are relevant to the internal security technology, ensuring ISMS is up to date, aiding in new policy definition. Security user awareness - training. Internal Cyber Security Consultants role will be diverse covering the breadth of the Security landscape. All details kept in the strictest of confidence. Chris.Holt@dclsearch.com 07884666351