Executive Summary

Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.

To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the range of the Bluetooth devices in use. Using this specialized equipment, they would need to be close enough to communicate and interfere with the legitimate transmissions being made wirelessly.

CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability, which has a CVSS score of 9.3.

To address the vulnerability Microsoft has released a software update that enforces a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption. This functionality is disabled by default when the update is installed. Customers must enable this functionality by setting a specific flag in the registry. When the flag is set, Windows software will read the encryption key size and reject the Bluetooth connection if it does not meet the defined minimum key size.

If your particular Bluetooth device or the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio does not support the longer key length, this update could block connections with that device when the registry key EnableMinimumEncryptionKeySize is set to a value of 1. Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if their manufacturer is providing additional guidance on updates and mitigations.

To enable this enforcement feature by using Registry Editor, follow these steps:

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

1. Open a command prompt as Administrator.
2. Type: reg add HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth /v EnableMinimumEncryptionKeySize /t REG_DWORD /f /d 1
3. Restart the computer.

If you don’t want to restart your computer, you will need to reset your Bluetooth device as follows:

1. On the device, go to the Bluetooth Settings.
2. Turn off Bluetooth.
3. Open the Device Manager and locate the Bluetooth Controller.
4. Right-click on the Bluetooth Controller and select Disable device.
5. After the device is disabled, right-click again and select Enable device.
6. Turn on Bluetooth in Bluetooth Settings

Computers with incompatible Bluetooth controllers or devices may have to temporarily or permanently set EnableMinimumEncryptionKeySize = 0 until controllers, firmware or drivers can be updated or the device itself updated. Bluetooth connections on computers in this state will not be secure.

To disable this enforcement feature:

1. Open a command prompt as Administrator.
2. Type: reg add HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth /v EnableMinimumEncryptionKeySize /t REG_DWORD /f /d 0
3. Restart the computer.

Recommended Actions

The best protection is to keep computers up to date. Please see Microsoft Knowledge Base Article 4514157 for guidance on protecting Windows devices.

If your particular device does not support the longer key length, this update could block connections with that device. Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if their manufacturer is providing additional guidance on updates and mitigations.

FAQ

1. Why is this enforcement not enabled by default?

A number of devices may not currently be able to support a longer key length and would not function with this fix enabled. Combined with the difficulty to use this attack and the need of specialized equipment and proximity to the target, this was decided to be left disabled initially to avoid any compatibility issues. The choice to enable this functionality would be left up to the user.

2. Where can I find more information about enabling this functionality?

If you determine that you need to enable this functionality to enforce a default 7-octet minimum key length, see Microsoft Knowledge Base Article 4514157.

References

• Thank you to ICASI for coordinating multi-vendor response. Also see Statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) on the Bluetooth Vulnerability
• CERT/CC VU#918987
• See Bluetooth SIG advisory: <https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth&gt;