advertisement
Smartphone users with Bluetooth connectivity now have another thing to worry about as a new flaw has been discovered that makes smartphones and devices running on Bluetooth vulnerable to hacks.
Lior Neumann and Eli Biham of the Israel Institute of Technology were the first to find the flaw. It was later flagged by the Carnegie Mellon University CERT. According to the research, Bluetooth components from Apple, Broadcom, Intel and Qualcomm have been affected. ZDNet reports that some Android devices have also been affected.
When two users are trying to connect using Bluetooth, they need to validate their cryptographic keys to enable a secure connection. This flaw allows an attacker to create a fake public key to insert their device in between the two Bluetooth devices so as to trick a user into giving access. This way, the hacker can inject their own messages and gain access to any sensitive information the user might have – usually referred to as the man-in-the-middle attack.
As per the ZDNet report, the flaw, which is being tracked as CVE-2018-5383, affects Bluetooth's Secure Simple Pairing and Low Energy Secure Connections.
The primary reason this flaw occurs is because some smartphone vendors' Bluetooth implementations do not properly validate the cryptographic key exchange when Bluetooth devices are trying to pair.
The hacker must also be able to intercept the valid public keys being exchanged by the two Bluetooth devices, before imitating the transmissions. Basically, he needs to make sure that he intercepts a valid connection request by both the users so that the hacker can make both the users think that they have connected.
Apple announced a fix for this when it released a patch for the flaw in July. Microsoft has said the Windows systems aren't affected directly, but the report suggests that there are many wireless chip modules for Windows 7, 8.1, and 10 products that come in the list of affected modules.
Users have been told to upgrade to the latest firmware and also check with vendors if they have any updates. Dell and Lenovo have released new drivers to fix this flaw in Intel software, with others working on their updates to fix the flaw.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)