Microsoft Blocks Pairing of Bluetooth Low Energy Security Keys on Windows
June's Patch Tuesday security updates have come with a warning from Microsoft that it will block the pairing of several Bluetooth Low Energy (BLE) security keys on Windows.
"These security updates address a security vulnerability by intentionally preventing connections from Windows to unsecure Bluetooth devices. Any device using well-known keys to encrypt connections may be affected, including certain security fobs," said Microsoft in a statement.
The vulnerability (CVE-2019-2102) refers to Feitian and Google Titan security keys, both of which have a misconfiguration in the Bluetooth pairing protocols. The 'security fobs' refer to Google's BLE Titan Security Keys (T1 or T2 code), as well as Feitian CTAP1/U2F Security Key.
Google became aware of the bug in mid-May, noting at the time that, "it is possible for an attacker who is physically close to you (30 feet - 10 metres - or so) at the moment you use your security key to (a) communicate with your security key, or (b) communicate with the device to which your key is paired."
As a result of Patch Tuesday's finding, Microsoft has "blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration."
Those with affected devices have been asked to look into requesting a free replacement, which both Google and Feitian are providing for free.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.
