A serious Bluetooth security flaw has been acknowledged by Bluetooth SIG, the official body in charge of standards for the wireless communications technology. It is sufficiently dangerous that the official Bluetooth specification has been changed.
The vulnerability would make it far easier for an attacker to brute-force a pairing with your devices…
Bluetooth operates on the basis that both devices have to agree to the connection. One sends a request, and the other must accept it. An exchange of public keys verifies the identities of the devices, and encryption keys are generated for the connection, ensuring that it is secure.
The Bluetooth security flaw means that an attacker could interfere with the encryption setup, forcing a much shorter encryption key — right down to a single octet, equivalent to a single character. That then makes it easy to try all possible encryption keys to establish the connection, as Bluetooth SIG explains in the security notice.
The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used.
In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet.
In addition, the researchers identified that, even in cases where a Bluetooth specification did mandate a minimum key length, Bluetooth products exist in the field that may not currently perform the required step to verify the negotiated encryption key meets the minimum length. In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic.
Companies have been asked to update their devices to ensure that encryption keys have a minimum of seven octets (equivalent to seven characters), and the Bluetooth spec has been changed to add this requirement. The narrow time window available for a spoofed connection means that this should be sufficient to guard against such attacks.
Apple has implemented this in the latest updates to its devices, so ensuring you are on the latest public version will render you safe from this form of attack.
It follows the revelation of another Bluetooth security flaw in June that potentially allows devices to be tracked.