Be careful in using too much Bluetooth anywhere.
Remember the time when phones have party line between the caller and receiver? Now, security researchers discover that there’s a possible way hackers can do the same thing with Bluetooth connections, without you knowing. Here’s how.
There’s a middle man on Bluetooth
On Monday, May 24, the Bluetooth Special Interest Group (Bluetooth SIG), the organization overseeing the development of Bluetooth standards, issued a security warning to protect users on seven new security flaws found in Bluetooth.
Turns out, the Bluetooth Core and Mesh Profile specifications have vulnerabilities that users might not known. Researchers from the French National Agency for the Security of Information Systems (ANSSI) shows that attackers can easily hijack the Bluetooth connection between the sender and receiver, without the two parties knowing about it.
This attack is called MitM or man-in-the-middle tactic. For example, a person attempts to send you a file through Bluetooth. The MitM attacker can easily enter the connection between the two persons and portray as the sender. Basically, the attacker will stop the initiator to connect with the receiver, allowing it to be fully transparent.
Here’s the list of vulnerabilities pointed out on the report:
- Bluetooth Mesh Profile AuthValue leak
- Malleable commitment in Bluetooth Mesh Profile provisioning
- Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITM
- Impersonation attack in Bluetooth Mesh Profile provisioning
- Impersonation in the BR/EDR pin-pairing protocol
- Authentication of the Bluetooth LE legacy-pairing protocol
- Impersonation in the Passkey entry protocol
Bluetooth SIG sends warning
To prevent companies from being affected with the Bluetooth vulnerability, the Bluetooth SIG organization made sure to send warnings about the newly-found vulnerabilities.
“The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches,” the organization said. “As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.”
Intel, Cisco could be affected
The Carnegie Mellon CERT Coordination Center (CERT/CC) reported that popular vendors like Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology, and Cradlepoint could be the top companies to worry about with the said warning.
Cisco and AOSP already released statements about the issue and said that they are now on action to update their security patches, in protection of the customers.
“Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin,” AOSP told CERT/CC.
“Cisco is tracking these vulnerabilities via incident PSIRT-0503777710,” the company said.
“Cisco has investigated the impact of the aforementioned Bluetooth Specification vulnerabilities and is currently waiting for all the individual product development teams to provide Software fixes to address them.”
What to do to keep safe
If you’re a consumer, there are various way to make sure to keep yourself away from any Bluetooth vulnerabilities. First off, stop opening your Bluetooth in public spaces. Second, install security software on your devices, or update security patches needed by your gadgets.