A newly discovered bug in Bluetooth implementations and operating system drivers allows hackers to gain unauthorized access to a device and steal data.

The vulnerability was discovered by security researchers Lior Neumann and Eli Biham from the Israel Institute of Technology and since shared by Intel Corp. and CERT. It relates to a critical cryptographic flaw that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.

The flaw relates to the method used to connect to a Bluetooth-enabled device using the Secure Simple Pairing or LE Secure Connections features to validate a public key received over the air when pairing.

“The elliptic-curve Diffie-Hellman (ECDH) key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key,” CERT explained. “The devices must also agree on the elliptic curve parameters being used. Previous work on the ‘Invalid Curve Attack’ showed that the ECDH parameters are not always validated before being used in computing the resulted shared key, which reduces attacker effort to obtain the private key of the device under attack if the implementation does not validate all of the parameters before computing the shared key.”

Put far more simply, if you have a Bluetooth device or connection on your computer, the vulnerability means you could be theoretically hacked by someone nearby.

Bluetooth SIG Inc., the organization behind the standard, blames software vendors for a poor implementation of security. The list of companies with devices affected is a Who’s Who of top tech companies, including Apple Inc., Broadcom Inc., Intel Corp. and Qualcomm Inc.

The implications of the bug on Google LLC devices along with Android and Linux are unknown for now. Rod Soto, director of security research at JASK Inc., told SiliconANGLE that the risk the vulnerability presents to average users is fairly slim.

“Bluetooth exploits require special hardware and customized code, so even though this vulnerability may affect billions of devices, the likelihood of a common person being targeted is very low,” Soto explained. “However, professional criminals and nation-state actors could use this exploit to go after high-value targets, such as government officials, employees at critical infrastructure organizations and more.”

Soto noted that personal area networks are the last circle of defense for potential targets. “These networks are typically made up of mobile devices, which people essentially save their entire lives on and carry around with them,” he said. “This is exactly what makes these types of exploits very dangerous.”

Photo: Wikimedia Commons