Microsoft Blocks Pairing of Bluetooth Low Energy Security Keys on Windows
June's Patch Tuesday security updates have come with a warning from Microsoft that it will block the pairing of several Bluetooth Low Energy (BLE) security keys on Windows.
"These security updates address a security vulnerability by intentionally preventing connections from Windows to unsecure Bluetooth devices. Any device using well-known keys to encrypt connections may be affected, including certain security fobs," said Microsoft in a statement.
The vulnerability (CVE-2019-2102) refers to Feitian and Google Titan security keys, both of which have a misconfiguration in the Bluetooth pairing protocols. The 'security fobs' refer to Google's BLE Titan Security Keys (T1 or T2 code), as well as Feitian CTAP1/U2F Security Key.
Google became aware of the bug in mid-May, noting at the time that, "it is possible for an attacker who is physically close to you (30 feet - 10 metres - or so) at the moment you use your security key to (a) communicate with your security key, or (b) communicate with the device to which your key is paired."
As a result of Patch Tuesday's finding, Microsoft has "blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration."
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.