BlueZero: A Major (and Sloppy) Bluetooth Vulnerability … Patch Now!
Introduction
In the past, wireless security has been compromised by poor standards and weak implementations. WEP, for example, broke almost every rule in the security book [here], and where it could be cracked within hours, and cracked for the whole network. But it is now Bluetooth which is showing some poor implementation standards due to an attack on its core key exchange method: ECDH (Elliptic Curve Diffie Hellman).
The discloser was published by an Israeli team here, and implements a man in the middle (MITM) attack, with a 50% chance of success. On a successful pairing, the researchers were able to compromise data transfers and even forge keystrokes.
The attack gives us a great chance to learn a bit about key exchange and elliptic curve methods, so I’ll try and cover some of the basics, so that you get a better idea of the problem (and hopefully not fall into the same trap).
Every great vulnerability deserves a great name — Poodle, BEAST, Heartbleed, FREAK, Wanna Cry, and so on, so I’m going to name it BlueZero, as it is all about Bluetooth and the zero-ing of the parameters involved in the key exchange in the pairing process.
