A security flaw with Bluetooth is affecting Android and iPhone smartphones — unless your software is up to date.
The flaw occurs in the validation of encryption keys that devices share in order to create a secure communication link. According to a warning published by the U.S. Computer Emergency Response Team (CERT), devices don’t always validate keys. This may allow attackers to obtain the device’s encryption key and decrypt Bluetooth communications.
Any device using a wireless chip from Intel, Qualcomm or Broadcom has the vulnerability, according to Lior Neumann. Neumann was one of two Israeli researchers who found the bug.
Security patch for many devices
However, manufacturers have already released a number of patches. Android devices with the June 2018 security patch or later are protected, Neumann told Forbes in an email.
Right now, this includes Huawei, LG and Samsung. However, all three manufacturers included the patch in their July security updates. To check if a device has the patch, check security patch notes for ‘CVE-2018-5383.’
Additionally, Apple issued patches for the vulnerability in May. The company incorporated the patches in iOS 11.4 and in the June security patches for supported mac OS variants.
However, those who haven’t updated to 11.4 are still vulnerable. This includes iPhone 8 and X models.
Chip manufacturers working on patches
Broadcom released a statement to CERT, stating the company released relevant fixes to manufacturers. However, it’s up to those manufacturers to implement the fixes. Qualcomm has also sent out patches.
Intel, however, is still working on a fix, according to Forbes.
The Bluetooth Special Interest Group (SIG), which helps develop the Bluetooth standard, released an update. The update serves as a guide to help manufacturers build patches.
Microsoft wasn’t mentioned in the list of affected companies, but Windows is vulnerable to older Bluetooth attacks. This includes an eavesdropping attack in Bluetooth 4.0.
However, Microsoft updated Windows 10 to support Bluetooth 4.2, making the most recent version of its operating system safe.
For now, the best thing you can do is make sure your device is up-to-date. Most major manufacturers released patches for the vulnerability. However, it may take time for patches to reach all devices, especially for Android users.
Source: CERT Via: Cult of Mac, Forbes