CVE-2018-5383 - Bluetooth hacking vulnerability

Does anybody know if this will require a patch on both ends? So like the hearing aids as well? Or is it only one of the two that would require patching? All the major brands support bluetooth now, so they’re potentially vulnerable.

It’s not too bad, as it looks like its “only” when pairing that the encryption keys might be collected by someone nearby.

Source: New Bluetooth Hack Affects Millions of Devices from Major Vendors

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.”

As you mentioned:
You shouldn’t have trouble with this. The vulnerability is very limited.

The real Android problem is that other serious vulnerabilities are seldom address by various manufacturers after sale. The problem has been noticed by Google and they’ve done a bit to try to get more O/S updates. Phone O/S is more highly integrated limiting driver only updates. That why you see full updates when they do happen.

I have a fire tablet. Amazon doesn’t claim it is Android but it is. It is just so customized to Amazon sales that it isn’t allowed to have the play store. Google only allows that for tablets/phones that conform more.

Google has just been fined by the EU billions for requiring such integration to have play store access. But the EU is more interested in sound bites than facts. Google provides Android “free” and needs some way to recover that extensive cost.

Phonak wrote back to me:

Audeo B-Direct devices are affected by CVE-2018-5383.

In summary:
• an attacker which is in proximity during a pairing process can recover the secrets.
• subsequently he can use the secrets either to either passively eavesdrop on communications (e.g. listen to phone calls) or actively spoof one of the paired devices to its peer
• the attack works when both paring devices are vulnerable
• the attack is relatively difficult to mount without a specially developed tool. Such a tool is not yet publicly known to exist.
• A similar tool would be required to break “Just Works” pairing method which we use too. So, even if we would fix this vulnerability, we would still be vulnerable to the same extent.

If you expect to be a target for targeted attacks, then your concerns are reasonable. In this case, as a mitigation you should perform any pairing in a “safe place” (as recommended in NIST SP 800-121). As mentioned, this is not solely because of CVE-2018-5383, but because we use “Just Works” and, of course, because the biggest vulnerability for Audeo B-Direct is absence of a dedicated pairing gesture.