Researchers Daniele Antonioli from SUTD, Singapore, Dr. Nils Ole Tippenhauer, CISPA, Germany and Prof. Kasper Rasmussen, University of Oxford, England have identified a vulnerability that affects Bluetooth devices, specifically Bluetooth BR/EDR Bluetooth Core specification versions 1.0 through 5.1. This vulnerability has been identified as: CVE-2019-9506. The researchers are presenting their findings at the USINEX Security Symposium this week. The paper will be available as of August 14th through the following link: https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli.
According to CERT/CC the Bluetooth BR/EDR encryption key negotiation protocol is vulnerable to packet injection that could allow an unauthenticated user to decrease the size of the entropy of the encryption key, potentially causing information disclosure and/or escalation of privileges via adjacent access. There is not currently any knowledge of this being exploited.
An ICASI member was notified by the researchers of these vulnerabilities. With the permission of the researchers, the ICASI member notified the whole ICASI Membership through ICASI’s Unified Security Incident Response Plan (USIRP). ICASI Members include A10 Networks, Amazon, Blackberry, Cisco Systems, Honeywell, Intel Corporation, Johnson Controls, Juniper Networks, Microsoft Corporation, Oracle Corporation and VMWare. ICASI also engaged with Apple and Lenovo through the ICASI Collaborator Non-Disclosure Agreement.
This notification made it possible for member Product Security Incident Response Teams (PSIRTs) to work together timely and efficiently to understand the vulnerabilities and their scope. ICASI worked with the security researchers, the Bluetooth Special Interest Group and CERT/CC to identify and notify potentially impacted companies. The goal of this coordination was for CERT/CC and the Bluetooth SIG to notify as many potentially impacted vendors as possible so that they could develop the appropriate fixes, while minimizing the risk that the vulnerability would be disclosed prior to a fix being available.
ICASI would like to thank the security community members who coordinated with ICASI on this issue, including Daniele Antonioli from SUTD, Singapore, Dr. Nils Ole Tippenhauer, CISPA, Germany and Prof. Kasper Rasmussen, University of Oxford, England, who reported the issue. We also would like to thank CERT Coordination Center and the Bluetooth Special Interest Group for their coordination. In addition, ICASI engaged with Apple and Lenovo under a unique multi-party Non-Disclosure Agreement. This collaboration allowed companies to coordinate disclosure and discuss the technical components of the vulnerability, as well as fixes prior to public release.
ICASI recommends that organizations contact vendors specifically to discuss whether and how they might be impacted. It is also recommended that these patches are implemented when they are available. The following are the security advisories from the ICASI member companies and partners who engaged with ICASI through the USIRP:
- A10 Networks: Not Impacted
- Blackberry: http://support.blackberry.com/kb/articleDetail?articleNumber=000057251
- Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190813-bluetooth
- Intel Corporation: Not impacted. Further Information is available here: https://software.intel.com/security-software-guidance/insights/more-information-exploiting-low-entropy-encryption-key-negotiation-bluetooth-bredr
- Johnson Controls: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- Juniper: Not Impacted
- Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9506
- Oracle: Not Impacted
- VMWare: Not Impacted
ICASI USIRP Partners:
- Apple: https://support.apple.com/kb/HT201222
- Lenovo: https://support.lenovo.com/us/en/product_security/LEN-27173
- Bluetooth Special Interest Group: https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth
- CERT CC: https://www.kb.cert.org/vuls/id/918987
- Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506
Any questions about ICASI should be directed to ICASI Executive Director Scott Algeier at firstname.lastname@example.org or +1 (703) 385-4969