A major security flaw in the Bluetooth protocol affects “a large majority of devices,” according to a new report from the Israel Institute of Technology.
The flaw lets hackers perform man-in-the-middle attacks on Bluetooth devices, hijacking the Bluetooth pairing process as it happens.
This could potentially allow hackers to, for example, listen in on phone calls made through Bluetooth headsets or patch into communications between wearables and mobile devices.
It could also be used to inject data into communications streams, potentially infecting the host device with additional malware as well as monitor the input of wireless keyboards.
According to the report, the attack is a relatively straightforward cryptographic attack on the Elliptic Curve Diffie-Hellman (ECDH) protocol, which Bluetooth devices use to authenticate connections.
The attack has a 50% chance of succeeding, while the other 50% of the time the pairing attempt will simply fail.
The vulnerability is found in both the host device operating system as well as the chips.
The researchers reported that the standard Android Bluetooth implementation is vulnerable.
They also noted that “Qualcomm’s, Broadcom’s and Intel’s implementations are vulnerable, which together constitutes most of the Bluetooth chips market.
"We stress that every device (mobile phone, laptop or car) that uses such a chip is vulnerable.”
The chip and OS makers affected by the vulnerability were notified before the release of the paper.
According to the US-CERT (Computer Emergency Response Team), many of the affected vendors have already released patches.
Apple, Broadcom, Google, Intel and Qualcomm have already developed patches, though it may be up to OS and phone vendors to implement those patches on specific devices.
However, the report notes that “we expect that most of the currently used Bluetooth peripherals will never be patched,” but that “patching all the mobile-phones and computers (where a software update is relatively easy) will greatly decrease the risk of this vulnerability.”