Researchers from the Israel Institute of Technology have discovered a significant security flaw in the Bluetooth protocol – one that could leave devices and computes vulnerable to ‘man in the middle’ attacks, where data can be intercepted and stolen, or injected to deliver malware.
As numerous news sources, including The Hacker News, have reported, the bug is related to versions of Bluetooth that include Secure Simple Pairing and LE Secure Connections. Among them are big names in this field, such as Apple, Broadcom, Intel and Qualcomm.
Exploiting the flaw, it’s possible that a hacker could capture any data sent between two compromised devices, and they could even send their own data, which could include viruses and other malicious code. Being based on Bluetooth, however, the hacker would need to be within appropriate wireless range, meaning they’d have to be in their victim's general vicinity.
The cause for the weakness is related to encryption and the validation of ‘elliptic curve parameters’ and ‘public keys’. For the average small business owner, this kind of technical information isn't likely to be something they’ll want to spend their time reading up on; what they really need to know is if they’re affected and what they can do to protect themselves.
As things stand, while some devices are known to be affected, there are still many that are yet to be confirmed, including Android and Linux devices. Many vendors have already released patches to fix the problem, and others will no doubt follow. However, whether older devices will get patched remains to be seen.
The important thing is to check for updates for all your computers and devices that use Bluetooth. That includes USB dongles plugged into PCs.
While there haven’t been any recorded cases of criminals using exploiting this bug, now that it’s public knowledge, that might change. In any case, it’s better to be safe than sorry.
Looking for specific cyber security advice or solutions? Contact TMB to find out how we can help.