Bluetooth vulnerability puts your data at risk, millions affected
According to Bluetooth SIG, the official regulator for Bluetooth technology, a new vulnerability found in commonly available and widely used Bluetooth technology has put millions of devices at risk. The vulnerability, which affects devices from Apple, Qualcomm, Intel, among others, allows cyber criminals to intercept and monitor data being exchanged between two vulnerable devices. Here's what you can do about it.
Where does the loophole lie?
The vulnerability lies in two Bluetooth features - Secure Simple Pairing and LE Secure Connections. Bluetooth specification recommends, but doesn't require, that connections between two Bluetooth devices be validated via exchanging public keys over air. However, since it's not a mandatory requirement, there exist Bluetooth devices that do not perform public key validations. In such cases, connections between devices become vulnerable to attacks.
How a criminal can exploit the Bluetooth vulnerability
The vulnerability allows cyber criminals within wireless range of two vulnerable devices to exploit a "man-in-the-middle network" position to find out the "cryptographic keys" being used by vulnerable devices. Simply speaking, the attacker can intercept a public key exchange, trick the vulnerable devices into thinking that authentication has happened, and insert a malicious package to monitor and manipulate data.
Complete list of affected and unaffected vendors
It's been confirmed that Bluetooth devices by Apple, Qualcomm, Intel, and Broadcom have been affected. Microsoft remains unaffected, while it's not known whether Google, Android Open Source Project (AOSP) and Linux based devices have been affected.
What you can do to secure your data
Apple and Intel have already released firmware and software updates to fix the vulnerability, so if you're using Bluetooth devices made by these vendors, be sure to install the updates as soon as possible. Meanwhile, software patches and firmware updates are expected from the rest of the affected vendors in the coming weeks. Beyond this, there's not much to be done.
