Vulnerabilities

New Bluetooth vulnerability allows hacking iOS and Android devices

Wireless protocols are not exempt from cybersecurity risks. IT security audit specialists say that more than one billion Bluetooth-enabled devices (smartphones, IoT equipment, laptops, switches, and others) present a critical vulnerability that, if exploited, would allow hackers to intercept transmitted data between two connected devices, especially smartphones.

Tracked as CVE-2019-9506, this vulnerability is present in the Encryption Key Negotiation Protocol, which allows devices operating with the BR/EDR standard to choose an entropy value for the encryption keys used to secure a Bluetooth connection. According to the report, this attack allows a threat actor located near two connected devices to intercept, monitor and manipulate traffic between paired devices.

The Bluetooth BR/EDR (Basic Rate/Enhaced Data
Rate) standard, also known as “Bluetooth Classic”, is a wireless
connection standard designed to establish a short-range pairing, mainly used in
wireless headphones or speakers. According to IT security audit experts, the
central specification of this protocol supports encryption keys with an entropy
value of between 1 and 16 bytes; in this case, the higher the value of entropy,
the higher the level of security. The main finding of this research is that the
negotiation of entropy, conducted via the Link Management Protocol (LMP), is
not a protected process with encryption, nor requires authentication, making it
vulnerable to air-hijacking or manipulation.

By exploiting this vulnerability, a threat
actor could trick two devices into setting an encryption key of only 1 byte of
entropy, opening the door to a brute
force
attack. “Let’s think that there are two Bluetooth equipment
operators (A and B) establishing a connection. After authenticating the pairing
key, A proposes to use 16 bytes of entropy. Entropy (N) can have a value
between 1 and 16 bytes; it is up to Subject B to accept or reject, or to
propose a different value in this negotiation,” the report on the flaw
mentions.

“Subject B could propose a value of N less
than proposed by A; subsequently, A could accept and request activation of link
encryption with B. Exploiting the vulnerability, a hacker could force A and B
to use a lower value of N to intercept the proposal request between both
Bluetooth operators,” the experts in IT security audit said. After
breaking the encryption, the hacker can capture the transmitted traffic via
Bluetooth or even read encrypted texts in real time and without the victims
being able to notice.

While dangerous, experts mention that the
success of this attack depends on some conditions such as:

  • Both
    Bluetooth devices must establish a BR/EDR connection
  • Both
    Bluetooth devices must be vulnerable
  • The
    attacker must be able to block direct transmissions between devices during
    pairing

To mitigate the risk of this attack, IT security
audit experts from the International Institute of Cyber Security (IICS) mention
that manufacturers of integrated Bluetooth equipment should apply as standard a
minimum length of 7 bytes for BR/EDR connections. Some manufacturers, such as
Microsoft, Cisco, Google, and Apple have already started releasing the
necessary updates, especially for iOS and Android smartphones.

To Top

Pin It on Pinterest

Share This