A vulnerability affecting Bluetooth LE Secure Connections was found in the Bluetooth Core specification versions 4.0 through 5.2 and BR/EDR Secure Simple Pairing in the Bluetooth Core specification versions 2.1 through 5.2. The flaw could allow an attacking device to successfully intercede as a man-in-the-middle (MITM) between two pairing devices. To do this, the attacker must negotiate a numeric compare procedure with one device and a passkey pairing procedure with the other, and the user must erroneously enter the numeric compare value as the passkey and accept pairing on the numeric compare device.
As per the report: "For this attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing either an LE or a BR/EDR encrypted connection without existing shared credentials (LTK or link key). At least one device must permit entry of a passkey, and the other must support a display capable of representing six decimal digits." In the BR/EDR Secure Simple Pairing scenario, only devices operating as a keyboard for the purposes of pairing may be used to enter the passkey, thus partially lowering the exposure of the flaw.
Acknowledgments: Name: CERT
Mitigation: Use the Out of Band (OOB) pairing mechanism if possible. Disabling Bluetooth may be a suitable alternative for some environments, please refer to the Red Hat knowledgebase solution [1] for how to disable Bluetooth in Red Hat Enterprise Linux. [1] https://access.redhat.com/solutions/2682931
External References: https://kb.cert.org/vuls/id/534195/ https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/method-vulnerability/
Created bluez tracking bugs for this issue: Affects: fedora-all [bug 1841544]