Peek-a-blue(tooth)! They see you… and your information! A Bluetooth bug has been publicly announced and it potentially allows middle-men to spy on private data. Woo-hoo! As it turns out, current ”firmware or operating system drivers skip a vital check during a Diffie-Hellman key exchange between devices,” creating an opportunity for eavesdroppers to introduce malicious commands into the information passed through a Bluetooth connection. Imagine yourself going on a weeklong vacation, and you’ve hired a sweet eighteen-year-old girl to look after your 106 plants. But when she comes over for your house-key, you don’t realize you just handed it to her evil twin. These hackers are tricking computers into giving away their private keys. Anyone using devices from Apple, Google, Broadcom, Qualcomm, and Intel, including smartphones and PCs, can be or are already affected by this Bluetooth bug. And since that’s practically everyone, we’re all in this together!
Where did it come from, where did it go?
The Diffie-Hellman (DH) key exchange, a “method of securely exchanging cryptographic keys,” acted as the weak spot in Bluetooth pairing. During a DH exchange, information is not immediately shared during the connection process, because that would be unsafe and unsecure. Instead, it will first generate a private cryptography key and then somewhere in the middle of that process, the two devices decide on an elliptic curve parameter to use. Now, you’re probably wondering what the heck that is, because we were curious too. As it turns out, this is one of the least understood forms of cryptography, so it’s probably easier to break it down through a video.
This form of cryptography is extremely beneficial because it takes a much smaller number of bits to get the same result as a complex, spacious cryptography method which uses thousands more bits. The ”dot” connections in elliptic cryptography are what determine the private key, and when these elliptic curve parameters are not validated, it leaves connecting devices vulnerable. Attackers can use fake public cryptography keys in order to find the private session key and intercept device messages. Now that’s a bummer, but how do we fix it?
CERT, the Computer Emergency Response team for the United States, has stated that the issue will need more than a software upgrade. Any device with a Broadcom or Qualcomm chip within it is already vulnerable, including the newest iPhone models. However, Apple already sent out fixes in May with iOS 11.4 and a MacOS patch, so as long as your tech is updated, you should be in the clear. Plus, “the Bluetooth SIG has now updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures.” Two android vendors, Huawei and LG, have released patches as well to prevent vulnerability. Broadcom and Intel are both working on software updates. And Google has not yet announced what they are going to choose to do. The companies searching for solutions have been rapidly creating new firmware in addition to new software updates in order to be prepared for any wandering eyes.
Bigger updates and patches have been coming out of Silicon Valley with Dell and Lenovo behind them. During this time, Microsoft also deemed themselves in the clear of this issue, because they were vulnerable to OLDER Bluetooth attacks. Windows does not support Bluetooth version 4.2, but it had eavesdropping issues with version 4.0. Sometimes being behind is better, I guess? ¯\_(ツ)_/¯
How to Protect Yourself
Moral of the story here, update your technology’s software if it has a Bluetooth compatibility. Even if you hate the way it makes Instagram or Snapchat look, it’s better to be safe than sorry!