New Bluetooth Vulnerability Leak, Your Passcode to Hackers During Pairing

A recently discovered vulnerability in Bluetooth technology has raised significant security concerns.

This flaw could allow hackers to intercept passcodes during the device pairing process, affecting a wide range of Bluetooth devices and potentially having far-reaching implications for users worldwide.

The Vulnerability: CVE-2020-26558

The vulnerability, CVE-2020-26558, is found in devices supporting the Passkey Entry association model in various Bluetooth Core Specifications, ranging from version 2.1 to 5.4. It affects BR/EDR Secure Simple Pairing and LE Secure Connections Pairing protocols.

The flaw arises when a device accepts a public key from a remote peer with the same X coordinate as the public key it provided but with an opposite sign for the Y coordinate. 

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

This oversight allows a man-in-the-middle (MITM) attacker to exploit the pairing process. Responding with a crafted public key, an attacker can determine the passkey used during the pairing session.

This enables them to complete an authenticated pairing procedure with both the initiating and responding devices.

How the Attack Works

For this attack to succeed, the malicious device must be within the wireless range of two vulnerable Bluetooth devices during their pairing or bonding process.

The attack explicitly targets scenarios in which BR/EDR IO Capabilities or LE IO Capabilities exchanges result in selecting the Passkey pairing procedure. 

The attacker manipulates the public key exchange process using a variation of the original ‘Impersonation in the Passkey Entry Protocol’ method.

By offering a public key with an X coordinate matching that of the peer device, they can effectively impersonate one of the devices involved in the pairing process.

Recommendations and Mitigations

To mitigate this vulnerability, Bluetooth Core Specification 5.4 advises that devices should fail a pairing procedure if they receive a public key with an X coordinate matching their own, except in cases where a debug key is used.

The upcoming Bluetooth Core Specification 6.0 will make this check mandatory, enhancing security against such attacks. 

Manufacturers and developers are urged to update their implementations to adhere to these recommendations.

Ensuring devices reject suspicious public keys during pairing can significantly reduce the risk of exploiting this vulnerability.

This vulnerability underscores the importance of staying updated with device manufacturers’ latest security patches and recommendations.

Users are encouraged to regularly update their firmware and be cautious when pairing Bluetooth devices in potentially insecure environments. 

As Bluetooth technology continues to be integral to everyday connectivity, addressing such vulnerabilities promptly is crucial for maintaining user trust and ensuring secure communications across devices.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration