We’ve been using communication technologies like Wi-Fi, Bluetooth, SMS, and MMS for so long that we almost take their security for granted. But recent new use cases, like IoT devices, two-factor authentication, and wearables that are exposing weaknesses of these technologies that are apparently years old. One such discovery involves hijacking the Bluetooth pairing process in order to eavesdrop on the communication between two devices. And as it turns out, this vulnerability has been in the Bluetooth standard for almost a decade.
Before two devices can communicate via Bluetooth, they have to undergo a pairing process that requires a secret key to encrypt the communication. But what if that key was not so secret? Cybersecurity researchers Prof. Eli Biham and graduate student Lior Neumann from Technion in Israel were able to develop a new version of the invalid curve attack to force devices to use a known encryption key. In other words, the attacker forces the pairing process to use a key for which it has a duplicate.
In practice, this would mean that the attacker would be able to see any data that flows between two compromised devices. That includes audio from phone calls, SMS or contacts passed between a phone and smartwatch, or, worse, anything you type on a Bluetooth keyboard, including passwords. That’s definitely going to be a problem for IoT devices smart locks that use Bluetooth to transmit sensitive data.
The irony of this exploit is that if device manufacturers and software developers implement the Bluetooth spec faithfully, they will be vulnerable to the bug. That includes chip makers like Intel, Qualcomm, or Broadcom and platform developers like Google and Apple. Amusingly, Microsoft is singled out as not implementing the latest Bluetooth standard. So while it’s not susceptible to this attack, it is actually in a worse position for being open to older and even simpler attacks.
The good news is that there have been no known actual exploits in the wild, which has given parties involved the chance to patch their software. Even better, the attack actually requires both paired Bluetooth devices to be vulnerable. So if your Android or iPhone or Mac has already been patched, they’re safe even if the Bluetooth peripherals they connect to aren’t.