NCCIC has issued a security advisory and mitigation guidance for a bluetooth vulnerability that impacts Bluetooth firmware and operating system software drivers from multiple vendors.
An overview of the bluetooth vulnerability (CVE-2018-5383):
“Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.”
The impact:
“An unauthenticated, remote attacker within range may be able to utilize a man-in-the-middle network position to determine the cryptographic keys used by the device. The attacker can then intercept and decrypt and/or forge and inject device messages.”
Multiple vendors are expected to release updates over the coming weeks. Stay tuned.