A newly discovered Bluetooth vulnerability that was published this week by Intel has the potential to allow a nearby hacker to gain unauthorized access to a device, intercepting traffic and sending forged pairing messages between two vulnerable Bluetooth devices.
The vulnerability affects Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, and Qualcomm.
From Intel's explanation:
A vulnerability in Bluetooth(R) pairing potentially allows an attacker with physical proximity (within 30 meters) to gain unauthorized access via an adjacent network, intercept traffic and send forged pairing messages between two vulnerable Bluetooth(R) devices. This may result in information disclosure, elevation of privilege and/or denial of service.As BleepingComputer explains, Bluetooth-capable devices are not sufficiently validating encryption parameters in "secure" Bluetooth connections, leading to a weak pairing that can be exploited by an attacker to obtain data sent between two devices.
According to the Bluetooth Special Interest Group (SIG) it's not likely many users were impacted by the vulnerability.
For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.Both Bluetooth and Bluetooth LE are affected. Apple has already introduced a fix for the bug on its devices (in macOS High Sierra 10.13.5/10.13.6, iOS 11.4, tvOS 11.4, and watchOS 4.3.1), so iOS and Mac users do not need to worry. Intel, Broadcom, and Qualcomm have also introduced fixes, while Microsoft says its devices are not affected.
Tag: Bluetooth
28 comments
Earlier this week, do-it-yourself repair website iFixit shared its full teardown of the new 16-inch MacBook Pro, providing a closer look at its scissor switch keyboard, new thermal architecture, and...
A security flaw in Android smartphones from companies like Google and Samsung allowed malicious apps to record video, take photos, and capture audio, uploading the content to a remote server sans...
Apple this fall partnered with 100cameras, a nonprofit organization that aims to teach photography to adolescents, providing participating students at DRW College Prep in Chicago with the new iPhone...
In June 2018, Apple announced that its Maps app would be rebuilt "from the ground up" with more accurate details like grass and trees, pools, parking lots, exact building shapes, sports areas...
Apple today updated its "WWDC" app, changing the name to "Apple Developer" and announcing new year-round updates.
Apple says that the new Apple Developer app will provide...
Apple today send out invites for a surprise media event that's set to be held on Monday, December 2 in New York City, at 4:00 p.m. Eastern Time.
Invitation image via Lance Ulanoff
...
Following a brief initial teardown of the 16-inch MacBook Pro on Friday, repair site iFixit today shared its full teardown of the new machine, giving us insights into the changes that Apple has made...
Apple today released new iOS and iPadOS 13.2.3 for the iPhone and the iPad, updates to the iOS and iPadOS 13.2.2 software that was released last week on November 7.
The new iOS and iPadOS 13.2.3...
