New Bluetooth Vulnerability Leak Your Passcode to Hackers During Pairing

To mitigate this risk, Bluetooth Core Specification 5.4 advises that devices should fail a pairing procedure if a peer’s public key X coordinate matches that of the local device, except when a debug key is used. This vulnerability, known as “Impersonation in the Passkey Entry Protocol,” affects devices using the Passkey Entry association model in BR/EDR Secure Simple Pairing, Secure Connections Pairing, and LE Secure Connections Pairing. A recently identified vulnerability in Bluetooth technology, identified as CVE-2020-26558, poses a significant security risk to devices supporting various Bluetooth Core Specifications. According to the Bluetooth report, For this attack to be successful, the attacker must be within wireless range of two vulnerable Bluetooth devices that are initiating pairing or bonding. By using crafted responses, the attacker can determine the passkey used during the pairing session, leading to an authenticated pairing procedure with both the initiating and responding devices. As Bluetooth technology continues evolving, maintaining robust security measures is crucial for safeguarding personal data and secure wireless communications. It allows a man-in-the-middle (MITM) attacker to exploit the pairing process by responding to an initiating device with a public key whose X coordinate matches that of the peer device. Users are encouraged to update their devices regularly and stay informed about security patches released by device manufacturers. The flaw is present in Bluetooth Core Specifications ranging from version 2.1 through 5.4 for BR/EDR to version 4.2 through 5.4 for LE Secure Connections. Ensuring that devices reject public keys with matching X coordinates can prevent potential MITM attacks and enhance overall security. The Bluetooth Special Interest Group (SIG) emphasizes the importance of following updated security protocols to protect against vulnerabilities like CVE-2020-26558. The attack specifically targets scenarios where a BR/EDR or LE IO Capabilities exchange results in the selection of the Passkey pairing procedure.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Oct 2024 06:10:24 +0000


Cyber News related to New Bluetooth Vulnerability Leak Your Passcode to Hackers During Pairing

New Bluetooth Vulnerability Leak, Your Passcode to Hackers During Pairing - The vulnerability, CVE-2020-26558, is found in devices supporting the Passkey Entry association model in various Bluetooth Core Specifications, ranging from version 2.1 to 5.4. It affects BR/EDR Secure Simple Pairing and LE Secure Connections Pairing ...
1 month ago Gbhackers.com
Unraveling the Wonders of Bluetooth - Continuing its evolution, Bluetooth 3.0 + HS arrived in 2009, introducing the concept of Bluetooth High Speed, leveraging Wi-Fi technology for faster data transfer over short distances. Bluetooth 4.0, introduced in 2010, marked a significant ...
9 months ago Feeds.dzone.com
New Bluetooth Vulnerability Leak Your Passcode to Hackers During Pairing - To mitigate this risk, Bluetooth Core Specification 5.4 advises that devices should fail a pairing procedure if a peer’s public key X coordinate matches that of the local device, except when a debug key is used. This vulnerability, known as ...
1 month ago Cybersecuritynews.com
Bluetooth Flaw Let Hackers Takeover of iOS & Android Devices - Bluetooth vulnerabilities in Android, Linux, macOS, iOS, and Windows are critical as hackers could exploit them to gain unauthorized access to the vulnerable devices. Such flaws in Bluetooth protocols enable the threat actors to steal sensitive data, ...
9 months ago Cybersecuritynews.com
CVE-2022-25837 - Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the ...
1 year ago
CVE-2021-47038 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid deadlock between hci_dev->lock and socket lock Commit eab2404ba798 ("Bluetooth: Add BT_PHY socket option") added a dependency between socket lock and hci_dev->lock ...
8 months ago Tenable.com
CVE-2024-49950 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2cap_connect [Syzbot reported] BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 Read of size 8 ...
2 weeks ago Tenable.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
New BLUFFS attack lets attackers hijack Bluetooth connections - Researchers at Eurecom have developed six new attacks collectively named 'BLUFFS' that can break the secrecy of Bluetooth sessions, allowing for device impersonation and man-in-the-middle attacks. Daniele Antonioli, who discovered the attacks, ...
11 months ago Bleepingcomputer.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 month ago Aws.amazon.com
Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection - Apple today launched a new tool for iPhones to help reduce what a thief with your phone and passcode can access. The feature, called Stolen Device Protection, adds extra layers of protection to your iPhone when someone tries to access or change ...
9 months ago Wired.com
UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
10 months ago Hackread.com
Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
10 months ago Hackread.com
Hackers Leak Alleged Partial Facebook Marketplace Database - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
8 months ago Hackread.com
Hackers Access Customer Info in Latest MongoDB Data Breach - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
10 months ago Hackread.com
Hackers Stole $59 Million of Crypto Via Malicious Google and X Ads - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
10 months ago Hackread.com
Ubisoft Hackers Scrambled for 900GB of Data Before Foiled - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
10 months ago Hackread.com
Hackers Attack UK's Nuclear Waste Services Through LinkedIn - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
10 months ago Hackread.com
Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
11 months ago Hackread.com
Data Leak Exposes 1.5 Billion Real Estate Records, Including Elon Musk, Kylie Jenner - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
10 months ago Hackread.com
Texas School Safety Software Data Leak Endangers Student Safety - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
9 months ago Hackread.com
US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
11 months ago Hackread.com
Is it possible to use an external SSD to speed up your Mac - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
9 months ago Hackread.com
Defend Your Business: Testing Your Security Against QakBot and Black Basta Ransomware - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
5 months ago Securityboulevard.com
What is Biometric Security? Your Body Becomes Your Key - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
9 months ago Hackersonlineclub.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)