Bluetooth pairing vulnerability

The Bluetooth SIG released an errata for the 4.2 and 5.0 versions of Bluetooth specification on July 23rd relating to a potential vulnerability with the pairing procedures.

For Bluetooth low energy; this only impacts the low energy secure connections mode of pairing, or LESC. LESC is using Diffie Helman key exchange and the potential vulnerability has to do with key validation not bein a mandatory feature in the previous releases of the specification.

 

Nordic Semiconductor is taking security very serious and we already mitigated this attack in the nRF5 SDK release 15 back in March 2018.

 

For more information please check out our the white paper about this issue on the infocenter

Parents
  • I'm sorry but whether it is possible to do this operation without the involvement of man? it turns out a person should see the numbers on the screen of a device such as Android and on the screen of an embedded device like nrf dk, and if I need to secure a fast connection of a screenless device with android so to speak m2m) How can I do it? Thanks

  • I'm not exactly sure what you're asking about. If you already use LESC pairing successfully, you only need to update to a newer SDK that has the automatic verification step. Android will ship their own updates for this. Only one side needs to be patched in order to render the attack (nearly) useless. If you are not using LESC, this vulnerability does not affect you.

Comment
  • I'm not exactly sure what you're asking about. If you already use LESC pairing successfully, you only need to update to a newer SDK that has the automatic verification step. Android will ship their own updates for this. Only one side needs to be patched in order to render the attack (nearly) useless. If you are not using LESC, this vulnerability does not affect you.

Children
No Data