English |学生 |Candidates and visitors |校友 |Principal clerk box |Disclosure of school affairs |Talent recruitment
Warning about the risk of man-in-the-middle attack vulnerability in the Bluetooth protocol
来源:  作者:  编辑:Cui Yunfei  日期:2023-12-21  Click rate:500  [I want to print]  [关闭]
摘要:

引题:

Key words:

    On December 20, 2023, the National Information Security Vulnerability Sharing Platform (CNVD) included the Bluetooth protocolMan-in-the-middle attack漏洞(CNVD-2023-98846, corresponding to CVE-2023-24023)。An attacker could exploit the vulnerability to force a shorter encryption key length through a fraudulently paired or bound device, compromising the secure authentication mechanism of a Bluetooth device sessionAt present, the principle of the vulnerability technology has been disclosed,CNVDDevice vendors and users affected by the vulnerability are advised to take security precautions。

一、Vulnerability analysis

    蓝牙(Bluetooth is a radio communication protocol that supports short-range communication of devices, and has become a global open technical specification, widely used in personal terminals, vehicle entertainment, industrial production and medical fields。The effective transmission distance of Bluetooth devices is generally less than 10 meters, and the communication quality is susceptible to obstacles。Daniele Antonioli, a security researcher and assistant professor at EURECOM in France, has discovered a security flaw in the core specification of secure connection pairing and secure simple pairing for Bluetooth BR/EDR devices。An attacker within effective Bluetooth transmission distance of a target device could exploit the vulnerability to launch a man-in-the-middle attack (BLUFFS) on a target session by capturing and forging Bluetooth session packets.。The BLUFFS attack can compromise the session authentication mechanism of Bluetooth-paired devices by using a spoofing paired or bound device to force a short encryption key length, thereby compromising the confidentiality and integrity of a Bluetooth communication session。

    CNVD has a comprehensive rating of "medium risk" for the vulnerability.。

2. Scope of vulnerability

    The products and versions affected by the vulnerability are: Bluetooth Protocol core specification, the version range is4.2 (released December 2014) to 5.4 (released February 2023)。
3. Suggestions on vulnerability disposal

    Currently, responsible for Bluetooth standard development and technology licensingBluetooth Technology AllianceSIG, the Special Interest Group, has issued security precautions。

    The CNVD recommends that users of Bluetooth devices strengthen security precautions, pay attention to suspicious devices around them when opening a Bluetooth connection, and use a high-strength Bluetooth communication key。

The above article is fromCNVD vulnerability platform

 

E-mail:
作者:
编辑:Cui Yunfei
Previous post:Early warning of high risk vulnerability in Sunflower remote operation and maintenance software
Next post:Notice on the issuance of "Guiyang Institute of Information Science and Technology E-mail Use Management Measures (Trial)"
sitemap| Copyright notice| Privacy statement
Address: No. 8, Siya Road, Huaxi University Town, GUI 'an New District, Guiyang, Guizhou
Taxpayer Identification Number: 52520000090327188H
Qian ICP for 20002667