The June Patch Tuesday updates from Microsoft included a change to the Bluetooth LE stack which could prevent some of your Bluetooth devices from connecting – and you’ll be glad!
When vendors publish specifications, such as the one for Bluetooth LE, it is common practice to include some example code to give adopters an idea of how to implement the new product into their code. The Bluetooth LE specification was no different and it included sample code. The example code included all the elements needed to make a successful pairing and connection from a Bluetooth LE device to a host such as a phone or PC – including dummy long term keys to encrypt the communications between the device and the host.
The problem is, more than one vendor appears to have cut-and-paste the sample code verbatim into their products – including using the same example crypto key! (CVE-2019-2102)
This means there are multiple Bluetooth devices on the market all using the same keys making it trivial for attackers to impersonate trusted and paired devices (such as a keyboard) and communicate with your phone or PC because the long term key is well known.
The change Microsoft made to Windows products in the June patch is to refuse a connection from any device which uses the well known keys from the sample code in the Bluetooth LE specs.
As Microsoft states,
You may experience issues pairing, connecting or using certain Bluetooth devices after installing security updates released June 11, 2019. These security updates address a security vulnerability by intentionally preventing connections from Windows to unsecure Bluetooth devices. Any device using well-known keys to encrypt connections may be affected, including certain security fobs.
More details on Microsoft’s update to the Bluetooth LE Stack can be found on their website.