X

Bluetooth pairing has a security hole. Get ready for updates

A validation flaw opens the door for a nearby miscreant to monitor or manipulate the Bluetooth communication between devices.

LoriGruninNewHeadshot.jpg
LoriGruninNewHeadshot.jpg
Lori Grunin Senior Editor / Advice
I've been reviewing hardware and software, devising testing methodology and handed out buying advice for what seems like forever; I'm currently absorbed by computers and gaming hardware, but previously spent many years concentrating on cameras. I've also volunteered with a cat rescue for over 15 years doing adoptions, designing marketing materials, managing volunteers and, of course, photographing cats.
Expertise Photography, PCs and laptops, gaming and gaming accessories
Lori Grunin
2 min read
bluetooth-sig-generic-illustration
Bluetooth SIG

When you pair a couple of Bluetooth devices, like your phone and computer, they exchange encryption keys. But it turns out the Bluetooth specification didn't require that both of them completely validate those keys. Well, it does now. 

This comes after it was revealed Tuesday that an attacker within wireless reach could insert themselves into communications between the two devices if both failed to properly validate the keys. That's according to the Bluetooth SIG and Carnegie Mellon's CERT, with some updates catalogued by ZDNet

Luckily, it doesn't work if at least one of the devices does its due diligence validating all the elliptic curve parameters during the  Diffie-Hellman (ECDH) key exchange (CVE-2018-5383), and a lot of manufacturers have already patched their devices.  Apple updated MacOS for El Capitan and later, plus the fix is in iOS 11.4 Intel has provided updated Bluetooth drivers for Windows 7 , 8.1 and 10. 

However, some patches need to come from your device's manufacturer -- Broadcom released a patch in June, for example, but those updates need to trickle down. Dell's already released Qualcomm's patch, as has Lenovo. A Google spokesperson said the company has "remediated the issue with updates to both ChromeOS and Android."

If you're not on an autoupdate cycle, you should probably check for updates with your phone or system manufacturer. 

The security flaw won't matter if you're, say, connecting your Xbox controller to your PC, or your camera to your phone, and the Bluetooth SIG says it's unaware of any actual incidents related to the flaw. But Bluetooth file transfers are becoming more popular and tools like Apple's Handoff use Bluetooth for the connection while transferring files over Wi-Fi. You may be typing sensitive information on your Bluetooth keyboard. And while it requires proximity for someone to fool with the data connection, given how many Bluetooth devices frustratingly require repeated re-pairings, the probability of that rises.

We've reached out to Apple for comment but didn't immediately hear back. Broadcom,  Qualcomm  and Google confirmed they've issued patches.

First published July 24, 10:05 a.m. PT.
Update, July 26 at 4:36 a.m. PT: Adds response from Google.