Skip to main content

New Bluetooth security flaw discovered; limited risk on iOS devices

A new Bluetooth security flaw has been discovered that would potentially allow an attacker to connect to a user device without authentication.

The Bluetooth Special Interest Group (SIG), the body responsible for Bluetooth standards, has confirmed vulnerabilities separately discovered by two teams of security researchers…

The organization issued a brief statement.

Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University have independently identified vulnerabilities related to Cross-Transport Key Derivation (CTKD) in implementations supporting pairing and encryption with both Bluetooth BR/EDR and LE in Bluetooth Specifications 4.0 through 5.0 […]

For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing. If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur. This may permit a Man In The Middle (MITM) attack between devices previously bonded using authenticated pairing when those peer devices are both vulnerable.

Apple protects against some forms of Bluetooth attack by requiring apps to ask user permission before a connection is initiated. You should only ever grant permission when you have a specific reason to allow an app to connect to a Bluetooth device, and are expecting it to ask.

Vulnerability to so-called Man-In-The-Middle (MITM) attacks is less clear. With some of these, an attacker can impersonate a previously paired device, which would then be allowed to connect without user intervention. However, iOS has protections like app sandboxing, which may also mitigate against this attack method.

There’s nothing else we can do at this stage. Bluetooth SIG says that it is in contact with vendors, and will make recommendations on steps needed to protect against these flaws.

The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches.  As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.

If any additional protection is needed on Apple devices, the Cupertino company would include these into a future security update.

Two other Bluetooth security flaws were discovered last year, one of which was sufficiently dangerous that the official Bluetooth specification was changed in response. A further one was reported earlier this year.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear