In a bulletin, Microsoft points out this vulnerability is the same that was observed by Google, resulting its own recall of BLE Titan security keys during May. Microsoft security engineers Erik Peterson and Matt Beaver found the flaw earlier this year and it has since been listed as CVE-2019-2102. If exploited, a bad actor could have paired an unwanted BLE device to a user’s device. A problem in the BLE pairing protocol means this could have happened without the users knowing. Google Titan and Feitian security keys were found to be vulnerable, prompting both companies to issue free replacements. It now seems Microsoft’s own Windows 10 Bluetooth Low Energy security keys are also vulnerable. The company used Patch Tuesday yesterday to tell users there are safeguards available to other BLE solutions. “To address this issue, Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration,” Microsoft said in a security advisory published today.
Fix
The company’s ADV190016 advisory tells users to download the latest Patch Tuesday cumulative updates. Windows users who do that will be protected against any unknown/unwanted BLE devices from pairing. “Microsoft is aware of an issue that affects the Bluetooth Low Energy (BLE) version of FIDO Security Keys. Due to a misconfiguration in the Bluetooth pairing protocols, it is possible for an attacker who is physically close to a user at the moment he/she uses the security key to communicate with the security key, or communicate with the device to which the key is paired.” However, Microsoft is not willing to risk the vulnerability spreading. That’s why the company has decided to block its security keys.