Bluetooth SIG, the authoritative body that governs the Bluetooth Wireless communications protocol has confirmed the existence of a dangerous security flaw. With the confirmation, Apple has taken the liberty to patch the issue in the iPhone devices by releasing the patch update. All of the Apple devices that are vulnerable to the issue will immediately receive the patch update. The vulnerability allowed anyone to brute-force the Bluetooth connection with the device. Bluetooth SIG immediately changed the Bluetooth specifications defines the dangers of such vulnerability.
Bluetooth connection is complete when one device asks for pairing permission and another device accepts it. Once both the device confirms the connection, a public pairing key is exchanged and the connection is activated between two or more devices. Once the connection is activated, a secure encryption key is generated making the data transfer secure. But, the issue with this was that the attacker could have fiddled with the encryption setup, and changed the configuration. According to the information shared by Bluetooth SIG, the attacker could change the requirements of pairing key to a single octet, or a single character. This editing in the pairing and encryption setup would immediately give pairing permissions to the attacker.
After confirming the existence of this vulnerability, the governing authority, i.e., Bluetooth SIG changed the Bluetooth Specifications to patch the issue. Also, the Authority asked the companies using the Bluetooth interface to change the standards. From now on, the companies must force a minimum of seven octets for pairing and encryption setup. With seven octets in the encryption keys, it would be much more difficult for hackers to brute-force the connection with any device. Apple took the immediate steps and pushed the update for all of the iOS-based devices to patch the problem. The status of Update for macOS devices is not known at the time of writing this news.
