Bluetooth Pairing Flaw Could Lead to Man in the Middle Attacks

Bluetooth security bug

CERT issued a warning for a Bluetooth security flaw that could lead to a man-in-the-middle attack. The flaw takes advantage of a vulnerability in Secure Simple Pairing and LE Secure Connections, but your iPhone, iPad, and Mac are safe if you’re staying on top of system updates.

Bluetooth security bug
Bluetooth pairing security flaw could let hackers into your computer

The CERT security note says,

Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.

Translated back in to normal human-speak, that means your computer, smart phone, or tablet may not be verifying the security key a device—like wireless headphones or speakers—sends before pairing. A clever hacker that’s nearby can watch for those pairing requests, intercept them, and pose as the paired device. Once the malicious pairing is complete the hacker can capture the data you send over Bluetooth and potentially access other information on your computer.

[macOS High Sierra 10.13.6 gets AirPlay 2 Support]
[Apple Releases iOS 11.4.1 with Two Bug Fixes and Security Patches]

The good news, at least for iPhone, iPad and Mac users, is Apple already patched the security flaw with iOS 11.4.1 and macOS High Sierra 10.13.6. Apple also released Security Update 2018-004 for mac OS Sierra and El Capitan.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.