Bluetooth security flaw could allow hackers to intercept your private data

Friday, July 27th, 2018 | | Technology

A new Bluetooth flaw has been discovered that could allow hackers to intercept your private data, reports ZDNet. The flaw was first discovered by researchers from the Israel Institute of Technology. The vulnerability affects Bluetooth implementations and operating system drivers of Apple, Qualcomm, Intel, and Broadcom.

The flaw known as CVE-2018-5383, affects two Bluetooth functions: Secure Simple pairing, and LE Secure Connections. The vulnerability allows hackers to intercept the transfer of files through Bluetooth pairing, and even modify them. This can expose any exchanged data, such as saved contacts, passwords typed on a keyboard, or sensitive information like point-of-sale, automotive, or medical equipment. The phone or computer involved in pairing could then be revealed, once the hacker copies the keystrokes onto a Bluetooth keyboard, and uses malicious links to compromise a device.

“It is possible that some vendors may have developed Bluetooth products that support those features but do not perform public key validation during the pairing procedure. In such cases, connections between those devices could be vulnerable to a man-in-the-middle attack that would allow for the monitoring or manipulation of traffic,” Bluetooth SIG said in its advisory.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window,” the outfit added.

Intel has also issued an explanation on the newly discovered vulnerability. Here’s what the company said: “A vulnerability in Bluetooth pairing potentially allows an attacker with physical proximity (within 30 meters) to gain unauthorized access via an adjacent network, intercept traffic and send forged pairing messages between two vulnerable Bluetooth® devices. This may result in information disclosure, elevation of privilege and/or denial of service.”

Intel is recommending users to upgrade to the latest version of firmware. Apple has also issued an update for the bug on its devices, a MacRumors report said. You are secured if your devices are running macOS High Sierra 10.13.5/10.13.6, iOS 11.4, tvOS 11.4, and watchOS 4.3.1.