PT-2023-7239 · Bluetooth Special Interest+10 · Bluetooth Core Specification+10
Published
2023-01-20
·
Updated
2026-03-14
·
CVE-2023-24023
CVSS v3.1
6.8
Medium
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Bluetooth Core Specification versions 4.2 through 5.4
Description
The issue is related to a man-in-the-middle attack that forces a short key length, potentially leading to the discovery of the encryption key and live injection. This vulnerability affects Bluetooth devices with Secure Simple Pairing and Secure Connections pairing, allowing an attacker to impersonate a device and intercept communications between paired devices. The estimated number of potentially affected devices worldwide is in the billions, including smartphones, laptops, and other mobile devices. The vulnerability is tracked under the identifier and was responsibly disclosed in October 2022.
Recommendations
For Bluetooth Core Specification versions 4.2 through 5.4, consider the following measures to reduce the risk of similar threats:
- Activate the key derivation function (KDF) for legacy secure connections (LSC)
- Use a shared pairing key for mutual authentication of key diversifiers
- Use secure connections (SC) mode where possible
- Support a cache of session key diversifiers to prevent reuse Ensure connections have a key level of at least seven octets, use security mode 4, level 4, and operate devices in pairing mode with 'only secure connections' enabled.
Fix
Inadequate Encryption Strength
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Astra Linux
Bluetooth Core Specification
Centos
Debian
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Windows