Microsoft Blocks Some Bluetooth Devices Due to Security Risks


Microsoft says that certain Bluetooth devices might start experiencing pairing and connectivity issues after Windows users apply cumulative, security, or monthly rollup updates released today.

As detailed by the Windows support document published today by Microsoft, “These security updates address a security vulnerability by intentionally preventing connections from Windows to unsecure Bluetooth devices. Any device using well-known keys to encrypt connections may be affected, including certain security fobs.”

BLE Titan Security Keys and Feitian Multipass blocked

The security fobs part at the end refers to Google’s Bluetooth Low Energy (BLE) Titan Security Keys with a T1 or T2 code which were recalled last month and to the Feitian Multipass (Feitian CTAP1/U2F Security Key).

This happened after it was discovered that “an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired.”

“Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration,” says Redmond’s ADV190016 Bluetooth Low Energy Advisory.

More details regarding this vulnerability are available in the flaw’s CVE-2019-2102 entry in the Common Vulnerabilities and Exposures database.

Checking if a Bluetooth device is affected

Windows users who experience issues while pairing, connecting, or using their Bluetooth devices after having installed one of the updates released today by Microsoft should “contact the manufacturer of your Bluetooth device to determine if a device update exits.”

Customers can also check the Event Log to see if their Bluetooth devices are affected by looking for an event with the following message:

Your Bluetooth device attempted to establish a debug connection. The Windows Bluetooth stack does not allow debug connection while it is not in the debug mode.

Impacted Windows updates

As detailed by Microsoft, installing the following cumulative updates (LCU), Monthly Rollups, or security updates could lead to pairing and connectivity issues for some Bluetooth devices:

  • KB4503293 or later LCU for Windows 10, version 1903.
  • KB4503327 or later LCU for Windows 10, version 1809 and Windows Server 2019.
  • KB4503286 or later LCU for Windows 10, version 1803.
  • KB4503284 or later LCU for Windows 10, version 1709.
  • KB4503279 or later LCU for Windows 10, version 1703.
  • KB4503267 or later LCU for Windows 10, version 1607 and Windows Server 2016.
  • KB4503291 or later LCU for Windows 10, version 1507.
  • KB4503276 or later Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
  • KB4503285 or later Monthly Rollup for Windows Server 2012 and Windows Embedded 8 Standard.
  • KB4503290 for Windows 8.1 and Windows Server 2012 R2.
  • KB4503263 for Windows Server 2012 and Windows Embedded 8 Standard.



Source link