The IoT world is abuzz with the discovery of a new Bluetooth flaw that opens the door to man-in-the-middle attacks, which are exactly what they sound like — attacks where a third party wedges itself between two of your networked devices and helps itself to the sensitive data stored on each. These attacks are possible when the network has weak or no security, and that is precisely the problem inherent in CVE-2018-5383, a cryptographic flaw that affects two Bluetooth features — Secure Simple Pairing and LE Secure Connections.
The flaw is born out of a spec that allows Bluetooth vendors to opt out of public key authentication. When this happens, the connection between the two Bluetooth devices is not encrypted and any cybercriminal with a mind to do so can insert himself or herself into the communication, provided he or she is within 30 meters of the devices in question.
The need for such close proximity is the one aspect of this vulnerability keeping the tech universe from all-out panic. While the potential for this attack is very real, affecting all the major brands of Bluetooth devices (Google, Apple, Intel, and more), a hacker would have to be very near your device in order to hack into it. On top of that, patches are already being developed to fix the flaw.
- Bluetooth users should check with their device manufacturers to see if patches are available. Apple and Microsoft have released some already, and the other brands are not far behind. If one is not available for your device yet, rest assured that it soon will be. Update as soon as the patches are ready.
- Default Bluetooth capability to OFF on all of your devices so that you force yourself to consciously switch it on when you need it. This keeps you aware of when it’s in use, and it helps you develop the digital awareness we all need to foster in this day and age. Always know what your devices are doing.