A new security vulnerability in Bluetooth has been discovered which can weaken the encryption of Bluetooth devices. The discovery was made by the researchers at the Center for IT-Security, Privacy and Accountability (CISPA).
A malicious actor can use this vulnerability to interfere with the procedure used to set up encryption on a BD/EDR connection between two devices. For example, through this interference the actor can reduce the length of the encryption key used.
For a hacker to use this vulnerability, he would need to be within the wireless range of two Bluetooth devices which are establishing BR/EDR connections. For the attack to work, both of these devices need to have this vulnerability. The attacker could use the vulnerability to intercept, manipulate, and transmit key length negotiation messages between the two devices.
Bluetooth on its website wrote: “There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability.”
Currently, Bluetooth SIG is communicating the presence of this vulnerability and its remedy to its member companies. The standard also recommends its users to install the latest updates to ensure their own security.