Executive Summary Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the range of the Bluetooth devices in use. Using this specialized equipment, they would need to be close enough to communicate and interfere with the legitimate transmissions being made wirelessly. CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability, which has a CVSS score of 9.3. To address the vulnerability Microsoft has released a software update that enforces a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption. This functionality is disabled by default when the update is installed. Customers must enable this functionality by setting a specific flag in the registry. When the flag is set, Windows software will read the encryption key size and reject the Bluetooth connection if it does not meet the defined minimum key size. If your particular Bluetooth device or the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio does not support the longer key length, this update could block connections with that device when the registry key EnableMinimumEncryptionKeySize is set to a value of 1. Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if their manufacturer is providing additional guidance on updates and mitigations. To enable this enforcement feature by using Registry Editor, follow these steps: Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Click Start, click Run, type Regedit in the Open box, and then click OK. Locate and then click the following registry subkey: HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth On the Edit menu, click Modify to modify the EnableMinimumEncryptionKeySize registry entry. In the Value data box, type 1, and then click OK. This sets the "EnableMinimumEncryptionKeySize"=dword value to 00000001 Exit Registry Editor. Restart the computer. You then need to reset your Bluetooth device as follows: On the device, go to the Bluetooth Settings. Turn off Bluetooth. Open the Device Manager and locate the Bluetooth Controller. Right-click on the Bluetooth Controller and select Disable device. After the device is disabled, right-click again and select Enable device. Computers with incompatible Bluetooth controllers or devices may have to temporarily or permanently set EnableMinimumEncryptionKeySize = 0 until controllers, firmware or drivers can be updated or the device itself updated. Bluetooth connections on computers in this state will not be secure. To disable this enforcement feature: Click Start, click Run, type Regedit in the Open box, and then click OK. Locate and then click the following registry subkey: HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth On the Edit menu, click Modify to modify the EnableMinimumEncryptionKeySize registry entry. In the Value data box, type 1, and then click OK. This sets the "EnableMinimumEncryptionKeySize"=dword value to 00000000 Exit Registry Editor. Restart the computer. You then need to follow the preceeding instructions for resetting your Bluetooth device. Recommended Actions The best protection is to keep computers up to date. Please see Microsoft Knowledge Base Article 4514157 for guidance on protecting Windows devices. If your particular device does not support the longer key length, this update could block connections with that device. Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if their manufacturer is providing additional guidance on updates and mitigations. FAQ 1. Why is this enforcement not enabled by default? A number of devices may not currently be able to support a longer key length and would not function with this fix enabled. Combined with the difficulty to use this attack and the need of specialized equipment and proximity to the target, this was decided to be left disabled initially to avoid any compatibility issues. The choice to enable this functionality would be left up to the user. 2. Where can I find more information about enabling this functionality? If you determine that you need to enable this functionality to enforce a default 7-octet minimum key length, see Microsoft Knowledge Base Article 4514157. References Thank you to ICASI for coordinating multi-vendor response. Also see Statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) on the Bluetooth Vulnerability CERT/CC VU#918987 See Bluetooth SIG advisory: https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center