To mitigate this risk, Bluetooth Core Specification 5.4 advises that devices should fail a pairing procedure if a peer’s public key X coordinate matches that of the local device, except when a debug key is used. This vulnerability, known as “Impersonation in the Passkey Entry Protocol,” affects devices using the Passkey Entry association model in BR/EDR Secure Simple Pairing, Secure Connections Pairing, and LE Secure Connections Pairing. A recently identified vulnerability in Bluetooth technology, identified as CVE-2020-26558, poses a significant security risk to devices supporting various Bluetooth Core Specifications. According to the Bluetooth report, For this attack to be successful, the attacker must be within wireless range of two vulnerable Bluetooth devices that are initiating pairing or bonding. By using crafted responses, the attacker can determine the passkey used during the pairing session, leading to an authenticated pairing procedure with both the initiating and responding devices. As Bluetooth technology continues evolving, maintaining robust security measures is crucial for safeguarding personal data and secure wireless communications. It allows a man-in-the-middle (MITM) attacker to exploit the pairing process by responding to an initiating device with a public key whose X coordinate matches that of the peer device. Users are encouraged to update their devices regularly and stay informed about security patches released by device manufacturers. The flaw is present in Bluetooth Core Specifications ranging from version 2.1 through 5.4 for BR/EDR to version 4.2 through 5.4 for LE Secure Connections. Ensuring that devices reject public keys with matching X coordinates can prevent potential MITM attacks and enhance overall security. The Bluetooth Special Interest Group (SIG) emphasizes the importance of following updated security protocols to protect against vulnerabilities like CVE-2020-26558. The attack specifically targets scenarios where a BR/EDR or LE IO Capabilities exchange results in the selection of the Passkey pairing procedure.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Oct 2024 06:10:24 +0000