With organizations still recovering from the damages caused by recent desktop malware attacks, like SamSam and PowerGhost, a newly discovered bluetooth vulnerability, CVE 2018-5383, is now threatening the data on billions of personal and corporate mobile devices and laptops by allowing attackers to intercept communication between two Bluetooth-enabled devices.
How does this bug work?
Bluetooth makes use of an authentication technique that generates a set of public and private keys while pairing devices. The private key is used to encrypt the data being transmitted, while the public key is used by the devices to determine the private key. It’s been discovered that some implementations of this mechanism do not validate all the parameters while generating the key pair during the pairing process. This allows an attacker the decrypt and modify the data being transmitted.
How can this vulnerability impact businesses?
The total number of devices with Bluetooth capabilities has more than doubled between 2012 to 2018, and around 10 billion devices could be compromised by this vulnerability. This bug mainly affects devices with standard Bluetooth capabilities from the following vendors: Apple, Intel, Google, Android Open Source Project, Qualcomm, and Broadcom. Devices from these vendors are most commonly used in organizations to access, store, and share confidential documents between devices. Attackers can exploit this vulnerability easily as it simplifies man-in-the-middle attacks by reducing the efforts spent on cracking the authentication process.
A cyberattack on an organization leads to loss of data, time, money, and trust. According to a 2018 study conducted by the Ponemon Institute, the average cost of a data breach for an organization is more than $3.8 million. This cost has only gone up over the years, so organizations should be more vigilant now than ever.
How can business secure their devices?
Bluetooth’s Special Interest Group has updated Bluetooth’s specifications to require products to validate the public keys they receive as a part of its standard security procedures. CERT/CC has identified that most of the affected vendors have released software or firmware updates to address this vulnerability.
But with billions of devices affected, how can organizations ensure that all their devices are patched and up to date? ManageEngine Mobile Device Manager Plus simplifies this process by automatically checking for mobile device updates. You can choose to immediately deploy these updates to all the mobile devices in your network or schedule update deployments to avoid bandwidth issues. If you’re not already using Mobile Device Manager Plus, download a free, 30-day trial and start securing your mobile devices with automatic updates.