CVE-2019-9506 — Encryption Key Negotiation of Bluetooth Vulnerability
Executive Summary
Executive Summary Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the range of the Bluetooth devices in use. Using this specialized equipment, they would need to be close enough to communicate and interfere with the legitimate transmissions being made wirelessly. CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability, which has a CVSS score of 9.3. To address the vulnerability Microsoft has released a software update that enforces a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption. This functionality is disabled by default when the update is installed. Customers must enable this functionality by setting a specific flag in the registry. When the flag is set, Windows software will read the encryption key size and reject the Bluetooth connection if it does not meet the defined minimum key size. If your particular Bluetooth device or the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio does not support the longer key length, this update could block connections with that device when the registry key EnableMinimumEncryptionKeySize is set to a value of 1. Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if their manufacturer is providing additional guidance on updates and mitigations. To enable this enforcement feature by using Registry Editor, follow these steps: Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Open a command prompt as Administrator. Type: reg add HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth /v EnableMinimumEncryptionKeySize /t REG_DWORD /f /d 1 Restart the computer. If you don't want to restart your computer, you will need to reset your Bluetooth device as follows: On the device, go to the Bluetooth Settings. Turn off Bluetooth. Open the Device Manager and locate the Bluetooth Controller. Right-click on the Bluetooth Controller and select Disable device. After the device is disabled, right-click again and select Enable device. Turn on Bluetooth in Bluetooth Settings Computers with incompatible Bluetooth controllers or devices may have to temporarily or permanently set EnableMinimumEncryptionKeySize = 0 until controllers, firmware or drivers can be updated or the device itself updated. Bluetooth connections on computers in this state will not be secure. To disable this enforcement feature: Open a command prompt as Administrator. Type: reg add HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth /v EnableMinimumEncryptionKeySize /t REG_DWORD /f /d 0 Restart the computer. Recommended Actions The best protection is to keep computers up to date. Please see Microsoft Knowledge Base Article 4514157 for guidance on protecting Windows devices. If your particular device does not support the longer key length, this update could block connections with that device. Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if their manufacturer is providing additional guidance on updates and mitigations. FAQ 1. Why is this enforcement not enabled by default? A number of devices may not currently be able to support a longer key length and would not function with this fix enabled. Combined with the difficulty to use this attack and the need of specialized equipment and proximity to the target, this was decided to be left disabled initially to avoid any compatibility issues. The choice to enable this functionality would be left up to the user. 2. Where can I find more information about enabling this functionality? If you determine that you need to enable this functionality to enforce a default 7-octet minimum key length, see Microsoft Knowledge Base Article 4514157. References Thank you to ICASI for coordinating multi-vendor response. Also see Statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) on the Bluetooth Vulnerability CERT/CC VU#918987 See Bluetooth SIG advisory: https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth
Overview
CVSS Vector
EPSS Score
Affected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Windows 10 for 32-bit Systems | 4512497 (Security Update) |
Important | Tampering | Yes |
| Windows 10 for x64-based Systems | 4512497 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4512517 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1607 for x64-based Systems | 4512517 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4512507 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1703 for x64-based Systems | 4512507 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4512516 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4512516 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1709 for x64-based Systems | 4512516 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4512501 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4512501 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1803 for x64-based Systems | 4512501 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4511553 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4511553 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1809 for x64-based Systems | 4511553 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4512508 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4512508 (Security Update) |
Important | Tampering | Yes |
| Windows 10 Version 1903 for x64-based Systems | 4512508 (Security Update) |
Important | Tampering | Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4512506 (Monthly Rollup) 4512486 (Security Only) |
Important | Tampering | Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4512506 (Monthly Rollup) 4512486 (Security Only) |
Important | Tampering | Yes |
| Windows 8.1 for 32-bit systems | 4512488 (Monthly Rollup) 4512489 (Security Only) |
Important | Tampering | Yes |
| Windows 8.1 for x64-based systems | 4512488 (Monthly Rollup) 4512489 (Security Only) |
Important | Tampering | Yes |
| Windows RT 8.1 | 4512488 (Monthly Rollup) |
Important | Tampering | Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4512506 (Monthly Rollup) 4512486 (Security Only) |
Important | Tampering | Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4512506 (Monthly Rollup) 4512486 (Security Only) |
Important | Tampering | Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4512506 (Monthly Rollup) 4512486 (Security Only) |
Important | Tampering | Yes |
| Windows Server 2012 | 4512518 (Monthly Rollup) 4512482 (Security Only) |
Important | Tampering | Yes |
| Windows Server 2012 (Server Core installation) | 4512518 (Monthly Rollup) 4512482 (Security Only) |
Important | Tampering | Yes |
| Windows Server 2012 R2 | 4512488 (Monthly Rollup) 4512489 (Security Only) |
Important | Tampering | Yes |
| Windows Server 2012 R2 (Server Core installation) | 4512488 (Monthly Rollup) 4512489 (Security Only) |
Important | Tampering | Yes |
| Windows Server 2016 | 4512517 (Security Update) |
Important | Tampering | Yes |
| Windows Server 2016 (Server Core installation) | 4512517 (Security Update) |
Important | Tampering | Yes |
| Windows Server 2019 | 4511553 (Security Update) |
Important | Tampering | Yes |
| Windows Server 2019 (Server Core installation) | 4511553 (Security Update) |
Important | Tampering | Yes |
| Windows Server, version 1709 (Server Core Installation) | — |
Unknown | Unknown | Unknown |
| Windows Server, version 1803 (Server Core Installation) | 4512501 (Security Update) |
Important | Tampering | Yes |
| Windows Server, version 1903 (Server Core installation) | 4512508 (Security Update) |
Important | Tampering | Yes |
Patches
| Article | Type | Restart |
|---|---|---|
4512497 |
Security Update | Yes |
4512517 |
Security Update | Yes |
4512507 |
Security Update | Yes |
4512516 |
Security Update | Yes |
4512501 |
Security Update | Yes |
4511553 |
Security Update | Yes |
4512508 |
Security Update | Yes |
4512506 (Monthly Rollup) 4512486 |
Monthly Rollup | Yes |
4512488 (Monthly Rollup) 4512489 |
Monthly Rollup | Yes |
4512488 |
Monthly Rollup | Yes |
4512518 (Monthly Rollup) 4512482 |
Monthly Rollup | Yes |
— |
Unknown |
Known Exploits
Acknowledgments
Daniele Antonioli from SUTD, Singapore, Dr. Nils Ole Tippenhauer, CISPA, Germany and Prof. Kasper Rasmussen, University of Oxford, England for reporting this issue