Last month we talked about a protocol vulnerability here Bluetooth that could potentially put devices of various brands (such as Apple) at risk of improper tracking. Today, one more flaw has been discovered which is possibly even more dangerous, but fortunately has already been fixed in Ma devices.
The newly discovered vulnerability is in the initial protocol of communication between two devices. When a Bluetooth connection is initiated, the two devices in question need to “accept” the start of the transfer; This is done with an exchange of codes used to authenticate the identity of the devices to each other. Once this is done, communication between them is initiated.
What's the problem? Researchers have found that an attacker can interfere with this initial authentication between devices by reducing the identity code to a single-character element. With this, the malicious device can easily try all possible codes and infiltrate the connection giving it the ability to capture data, install malware on other devices or manipulate their traffic.
Even in the case of Bluetooth connections that require codes with a minimum number of characters, the researchers reveal, several devices simply did not take the step to verify the size of these codes with this, it was possible to perform the attack in the same way.
The Bluetooth SIG group responsible for protocol development acknowledged the vulnerability and changed the technology specifications to address it, requiring manufacturers of Bluetooth-connected devices to update their devices to require authentication with codes of at least seven characters. .
Apple has already done so, and the company's systems are immune from failure since the iOS 12.4, O macOS Mojave 10.14.6, O watchOS 5.3 it's the tvOS 12.4, released last July. The company has also made security fixes related to the same vulnerability in the macOS High Sierra 10.13.6 and in macOS Sierra 10.12.6, for computers that do not have the ability to run Mojave (or its successors).
So update your devices and keep an eye out, always.