A major vulnerability discovered in the Bluetooth wireless protocol, officially acknowledged by the Bluetooth Special Interest Group (SIG), has been patched by Apple in the latest iOS, macOS, watchOS and tvOS updates to the iPhone, iPad, Mac, Apple Watch and Apple TV devices.
A fix was implemented in the iOS 12.4, watchOS 5.3, tvOS 12.4 and macOS Mojave 10.14.6 updates released July 22, 2019. A pair of security patches issued the same day brought those fixes to older Macs powered by macOS High Sierra 10.13.6 and macOS Sierra 10.12.6.
According to Apple’s relevant support documents, an attacker in a privileged network position may be able to intercept Bluetooth traffic due to an input validation issue that existed in the Bluetooth specification. “This issue was addressed with improved input validation,” the iPhone maker noted in an August 13 update to the security documents.
Apple credits researchers Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany and Prof. Kasper Rasmussen of University of Oxford, England.
Here’s how this bug could be exploited, as explained by 9to5Mac:
Bluetooth operates on the basis that both devices have to agree to the connection. One sends a request and the other must accept it. An exchange of public keys verifies the identities of the devices and encryption keys are generated for the connection, ensuring that it is secure. The Bluetooth security flaw means that an attacker could interfere with the encryption setup, forcing a much shorter encryption key — right down to a single octet, equivalent to a single character. That then makes it easy to try all possible encryption keys to establish the connection.
Bluetooth SIG has more in its security notice:
Since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet.
In addition, the researchers identified that, even in cases where a Bluetooth specification did mandate a minimum key length, Bluetooth products exist in the field that may not currently perform the required step to verify the negotiated encryption key meets the minimum length. In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic.
All companies making Bluetooth-enabled products have been asked by Bluetooth SIG to issue software updates to shorten the time window available for a spoofed connection, which should guard against such exploits. The organization has also updated the Bluetooth specification to require that pairing encryption keys have a minimum of seven octets.
I’m glad Apple has fixed this vulnerability.
As an industry standard when it comes to exchanging data between devices over short distances using short-wavelength UHF radio waves, Bluetooth certainly has its fair share of issues. The protocol’s ubiquitousness means a critical flaw discovered in its specifications requires an industry effort to patch across platforms and devices.
In fact, Bluetooth SIG took immediate action after learning of the issue by updating the official Bluetooth specification in such a way that should prevent the vulnerability from being exploited in the wild across hundreds of millions of Bluetooth hosts and accessories.
Apple, too, should be praised for squishing the bug before it had a chance to wreak havoc.
On a related note, another Bluetooth vulnerability, discovered back in July, makes it possible to track some devices, including iOS, macOS and Microsoft products. Apple has not yet issued a fix for that exploit but should in the near future, if history is anything to go by.
In 2015, the Cupertino tech giant became a Promoting Member of Bluetooth SIG and gained voting rights so it should be able to respond to those kinds of threats in a timely manner.
Are you glad that Apple has neutralized this particular attack vector?
Let us know by leaving a comment below.