The Bluetooth SIG, the official body in charge of standards for the wireless communications technology, has acknowledged a serious Bluetooth flaw the would make it easier for an attacker to brute-force a pairing with Bluetooth-enabled devices. The flaw was dangerous enough that the official Bluetooth specification has been changed.
A Bluetooth connection normally requires both devices to agree to a connection One device sends a request, and the other device accepts it. The identities are verified by an exchange of public keys, generating encryption keys for the connection, ensuring the security of the pairing.
However, the Bluetooth security flaw allows an attacker to interfere with the encryption setup, forcing a much shorter encryption key. That makes it possible to to try all possible encryption keys to establish the connection.
It is explained in the Bluetooth SIG’s security notice.
The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used.
In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet.
In addition, the researchers identified that, even in cases where a Bluetooth specification did mandate a minimum key length, Bluetooth products exist in the field that may not currently perform the required step to verify the negotiated encryption key meets the minimum length. In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic.
Companies have been instructed to update their devices to ensure that encryption keys have a minimum of seven octets (characters). The Bluetooth specification has been changed to add this requirement.
Apple implemented the fix in the latest updates to its devices, so users running the latest public version of their device’s operating systems are safe from this attack.