Windows guidance for Bluetooth key length enforcement

  1. Brink's Avatar
    Posts : 41,326
    64-bit Windows 10 Pro build 18963
       #1

    Windows guidance for Bluetooth key length enforcement


    Windows guidance for Bluetooth key length enforcement

    Applies to: Windows 10 version 1903, Windows 10 version 1809, Windows 10 version 1803, Windows 10 version 1709, Windows 10 version 1703, Windows 10 version 1607, Windows 10, Windows 8.1, Windows Server 2019 all versions, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

    Summary

    A security vulnerability has been found in the minimum encryption key length used to establish connections with Bluetooth BR/EDR devices (basic rate/enhanced data rate, also known as "Bluetooth Classic"). To exploit this vulnerability, an attacker needs specialized hardware and is limited by the signal range of the Bluetooth devices in use. When the devices are pairing or connecting, the attacker may be able to interfere and intercept the signal and force encryption key size down to 1 byte, down from the maximum of 16 bytes. This may potentially allow the attacker to decrypt the signal and the personal data within it or hijack the devices themselves.

    Note Bluetooth Low Energy (Bluetooth LE) devices are not be affected by this issue.

    For more information about this security vulnerability, see:


    Note At the time of disclosure, we are not aware of this vulnerability being exploited maliciously.

    Mitigation available on Windows devices

    To address this vulnerability, on August 13, 2019 Microsoft released a Windows security update (as part of an industry-wide coordination) with a Windows Bluetooth (BT) encryption key size enforcement feature across all supported Windows operating system platforms. This mitigation is off by default and must be enabled via registry key.

    Customers must enable this functionality by setting a specific flag in the registry. When the flag is set, the Windows software will read the encryption key size and reject the Bluetooth connection if it does not meet the defined minimum key size. If your device does not support the higher-level key length, the update may block connections with that device when the registry flag is set.

    Previously, the firmware of Bluetooth Classic devices would negotiate and determine the level of encryption for the key length from 1 byte to 16 bytes key length. After installing the August 13, 2019 security update -- and enabling the EnableMinimumEncryptionKeySize registry key -- Windows will reject any Bluetooth connection less than 7 bytes key length. If your Bluetooth device, the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio does not support 7 bytes or more encryption key length, then it may have issues pairing when the registry key EnableMinimumEncryptionKeySize is set to a value of 1.

    Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if the manufacturer of their Bluetooth controller is providing additional guidance on updates and mitigations. If the policy is enabled and the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio do not support the HCI_Read_Encryption_Key_Size, your Bluetooth devices may no longer work.

    Note If you are having issues pairing or connecting Bluetooth devices but have not enabled the EnableMinimumEncryptionKeySize registry key or the errors in event log are not the ones listed below, please refer to the Bluetooth troubleshooting tips in KB4507623.

    Guidance for advanced users and IT Pros

    If you would like to enable the mitigation for this security vulnerability, you will need to do so manually. This mitigation is off by default. This ensures that peripherals with encryption key size < 7 continue to operate until an administrator sets the registry key. If the registry key is set, any connection where (a) the key length is < the encryption key size or (b) the key length is being lowered from what was previously negotiated (detected attack), will be blocked. By default, the minimum allowed encryption key size = 7. The registry key state will be preserved upon upgrade.

    Please note we are shipping this mitigation off by default because during testing of encryption key length enforcement, we found that some Bluetooth controllers may not respond or stop pairing. Some BT devices may not support the minimum encryption key length enforced by the Microsoft update. We understand that compatibility with your devices is important and as we cannot guarantee compatibility with key enforcement enabled. You can enable the mitigation based on your own risk assessment and compatibility needs. If you have access to sensitive data and use the device in an area that does not have physical security, we recommend enabling the mitigation for this security vulnerability.

    Note Testing is recommended between any hosts and devices you plan to use together with EnableMinimumEncryptionKeySize enabled. We suggest deploying to devices where you have tested the configuration, or Bluetooth usage is not critical to the intended role of the device.

    Before deploying this mitigation in your environment, we recommended you first test any known devices (see issues below) and that you warn users of potential issues with untested Bluetooth devices. If you encounter issues, you will need to check for updated firmware or drivers for your devices or contact the manufacturer of your device.

    Issues you may encounter may include:

    • Bluetooth devices may fail to pair or connect to your Windows Device.
    • The Bluetooth radio in your Windows device may stop responding.
    • You may receive an Event 48 in System event log:

    Event Log System
    Event Source BTHUSB
    Event ID 48
    Severity Warning 
    Event Message Text  The local adapter does not support reading the encryption key size for a connected device. Insecure devices may be able to connect to this system.

    • You may receive an Event 49 in System event log:

    Event Log System
    Event Source BTHUSB
    Event ID 49
    Severity Warning 
    Event Message Text  Windows rejected a connection from your Bluetooth device (%2) because the resulting encryption key size was smaller than the system required minimum.

    Enable key length enforcement using Registry Editor

    Important Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    • Select Start, select Run, type Regedit in the Open dialog box, and then select OK.
    • Locate and select the following registry subkey: HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth
    • On the Edit menu, select Modify to modify the EnableMinimumEncryptionKeySize registry entry.
    • In the Value data box, type 1, and then select OK. This sets the "EnableMinimumEncryptionKeySize"=dword value to 00000001
    • Exit Registry Editor.
    • Restart the Windows device.

    If you do not want to restart your Windows device, you can reset your Bluetooth device instead:

    • On the device, go to the Bluetooth Settings.
    • Turn off Bluetooth.
    • Open Device Manager and locate the Bluetooth Controller.
    • Right-click or long press on the Bluetooth Controller and select Disable device.
    • After the device is disabled, right-click again and select Enable device.
    • Turn on Bluetooth in Bluetooth Settings

    Frequently Asked Questions

    Why was the fix disabled by default?
    Microsoft released security updates on August 13th and customers who enable the security update are protected. The functionality is disabled by default when the update is installed. Users who have issues connecting using Bluetooth devices after installing and enabling this functionality should check to see if their OEM is providing additional guidance on updates and mitigations.

    My Bluetooth radio controller and device are not working after setting the value of EnableMinimumEncryptionKeySize to 1, what should I do?
    The August 2019 Windows Security Update:

    • Determines if the Bluetooth controller supports the HCI_Read_Encryption_Key_Size command.
    • Issues a HCI_Read_Encryption_Key_Size command and tests whether the connection to a Bluetooth device supports the minimum encryption key size.

    Failure on either test can prevent Bluetooth connections. Windows devices with incompatible Bluetooth controllers or Bluetooth devices may have to temporarily or permanently set EnableMinimumEncryptionKeySize value to 0 until controllers, firmware or drivers can be updated or the device itself updated.

    I havenít enabled the EnableMinimumEncryptionKeySize registry key and Iím having issues pairing or connecting Bluetooth devices, what should I do?
    Refer to knowledge base article KB4507623 for known issues.

    Where can I find more information on whether my Bluetooth device will support the new recommended minimum key length?
    Please check the websites from your Windows device manufacturer (OEM), your Bluetooth radio driver provider and the manufacturer of your Bluetooth device.


    Source: https://support.microsoft.com/en-us/...th-enforcement
      My ComputersSystem Spec

  2.    #1

    Interesting - especially in the view of my recent issues introduced by May '19 CU that I eventually managed to address at source. Many thanks for sharing.
      My ComputersSystem Spec


 

Related Threads
Source: Relaxing the enforcement of new InfVerif validation checks - Microsoft Tech Community - 482364
Windows Hello in Windows 10 enables users to sign in to their device using a PIN (Personal Identification Number). You can use this PIN to sign in to Windows, apps, and services. One important difference between a password and a Hello PIN is that...
How to Specify Minimum PIN Length for BitLocker Startup in Windows 10 When you turn on BitLocker for the operating system drive with a compatible TPM, you can choose to unlock the OS drive at startup with a PIN. Originally, BitLocker allowed...
How to Change Minimum Password Length for Local Accounts in Windows 10 The Minimum password length policy setting determines the least number of characters that can make up a password for a local account. You can set a value of between 1 and 14...
Microsoft Removes 260 Characters Path Length Limit in Windows 10 Redstone New policy integrated into the latest preview build 82076 Read more:...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:57.
Find Us