Microsoft blocks BLE security keys with known pairing vulnerability
Microsoft said today it plans to block the pairing of certain Bluetooth Low Energy (BLE) security keys on Windows due to a vulnerability its engineers discovered in the BLE pairing protocol earlier this year.
The vulnerability Microsoft is referencing is the same security flaw that forced Google to recall all BLE-based Titan security keys last month, and offer free replacements to its customers.
The vulnerability, tracked as CVE-2019-2102, was discovered earlier this year by two Microsoft security researchers — Erik Peterson, and Matt Beaver.
The two found that a misconfiguration in the implementation of the BLE pairing protocol would have allowed a local attacker in the proximity of a victim to pair a rogue BLE device to a user’s system (smartphone, laptop, PC) without the user’s knowledge or interaction.
At the time, only BLE-compatible Google Titan and Feitian security keys were found to be impacted by this vulnerability, and both companies offered free replacements to their customers.
Microsoft taking action at the OS level
Today, Microsoft also took steps to safeguard Windows users in the case they are using other BLE security keys that are vulnerable to the same CVE-2019-2102 vulnerability.
“To address this issue, Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration,” Microsoft said in a security advisory published today.
This security advisory — ADV190016 — is part of Microsoft’s June 2019 Patch Tuesday updates, which the company released just a few hours ago.
This means that after applying today’s security updates, Windows users will be protected at the OS level against any unknown BLE device pairings that may also be vulnerable to this attack.
Last week, Google released similar security patches for the Android operating system, which include fixes for CVE-2019-2102, preventing attackers from exploiting this BLE protocol misconfiguration to pair malicious BLE devices to an Android smartphone.
Microsoft’s ADV190016 does the same thing, but for Windows users.
For Linux and macOS users, it is recommended that they follow Google’s advice on this matter, and only pair BLE security keys with their operating systems in environments where an attacker is not physically near.