A security flaw has been acknowledged by the Bluetooth official body, known as Bluetooth SIG. The issue is so serious that the Bluetooth specification has been altered following its discovery.
According to a report, the flaw could make it easier for an attacker to pair with a Bluetooth device by brute-forcing the pairing process.
In order for a Bluetooth connection to be established, but devices must agree. One device initiates the connection and the second acknowledges it following the exchange of keys. That allows the devices to confirm the identity of each other and encryption keys are then generated to secure the connection.
This newly announced flaw allows an attacker to interfere with the process that generates the encryption, allowing them to force devices to use a shorter encryption key. That then would allow access to be gained via brute force methods. Bluetooth SIG explains all in a new security notice.
The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used.
In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet.
In addition, the researchers identified that, even in cases where a Bluetooth specification did mandate a minimum key length, Bluetooth products exist in the field that may not currently perform the required step to verify the negotiated encryption key meets the minimum length. In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic.
As a result of the security issue companies are being asked to update their devices to ensure encryption keys of at least seven octets are used. Apple has already updated its devices, with others set to follow suit.
(Source: Bluetooth SIG)
You may also like to check out:
- Download iOS 13 Beta 7 IPSW Links And OTA Profile Update For Your iPhone Or iPad
- iOS 13 Beta 7 Profile File Download Without Developer Account, Here’s How
- Best Galaxy Note 10 / 10+ Plus Case List: Here Are The Must-Haves For Protection
- Best Galaxy Note 10 / 10+ Plus Screen Protector? Here Are Our Picks [List]
- Jailbreak iOS 12.2 Using Unc0ver 3.3.0 IPA
- Install WhatsApp Web On iPad Thanks To iOS 13 And iPadOS 13
- 100+ iOS 13 Hidden Features For iPhone And iPad [Running List]
- How To Downgrade iOS 13 / iPadOS 13 Beta To iOS 12.3.1 / 12.4
- iOS 13, iPadOS Compatibility For iPhone, iPad, iPod touch Devices
- Download iOS 13 Beta 1 IPSW Links & Install On iPhone XS Max, X, XR, 8, 7, Plus, 6s, iPad, iPod [Tutorial]