U.S. CERT issued an advisory note warning Bluetooth firmware or operating system software drivers are missing a required cryptographic step enabling man in the middle attacks to take place.
The vulnerability (CVE-2018-5383) means a Bluetooth device may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device, the advisory stated. This could result in an attacker being able to intercept and decrypt all device messages and forge and inject malicious messages.
Software and firmware updates are not yet available, but are expected to be out in several weeks. In addition, the Bluetooth SIG has updated the Bluetooth specifications requiring validation of any public key received as part of public key-based security procedures. This will provide a remedy to the vulnerability from a specification perspective, the advisory said.
While the vulnerability in question does impact billions of devices the likelihood of someone being targeted is very low, said Rod Soto, director of security research at JASK, but he noted the fact that most people have their entire lives contained on their mobile device, which almost always has a Bluetooth connection, makes this type of exploit quite dangerous.
In addition, “professional criminals and nation-state actors could use this exploit to go after high-value targets, such as government officials, employees at critical infrastructure organizations and more,” Soto