[German]With the June 2019 security updates for Windows 8 to Windows 10, Microsoft is also patching the Bluetooth features. Some users recognizes that their Bluetooth devices can no longer pair after installing an update. This is by design and not a bug. Here is some information on this topic.
I was aware of this topic since the Patchday (June 11, 2019). I’m going to take up the whole thing here in the blog again, because some users were surprised by it and some media make it a big bohei or scandal.
Some reader feedback
I just bought a new PC AMD Ryzen 2600x with current graphics card and a cheap WIFI-X-Box360 game controller. I spent hours yesterday trying to make it work without success. Everything done a thousand times. Driver installed, deleted, driver new, device removed, PC booted again and again. Adapter checked, driver loaded from side.
From the PC side everything was fine, only under Windows 10 there was no Bluetooth option at all. I’ve been researching the net forever. And all tips and tricks didn’t work. They actually sound logical, but it seemed as if Windows had completely switched off the Bluetooth option. Since simply the button on the surface, in the device manager “Bluetooth” did not exist. Everything checked, services, administration. There was no Bluetooth option in Windows ten. The controller tries to connect for ten minutes, then the round button only flashes every few seconds. As if it would be blocked. And it probably won’t be broken.
I also tried to uninstall the update ten times, but this always resulted in Windows reinstalling the update every time it was restarted, as it seems that you have to force the installation of certain updates. Unless you switch it off completely in Services, but then it is completely impossible to transfer new updates in general. And as soon as you switch services on again, this June update will be installed immediately when booting again.
I will exchange the part today and buy a conventional cable game controller. I wonder what Microsoft was thinking. Probably most alternative game controllers are affected. It is unlikely that the manufacturers will immediately program company updates worldwide, which will somehow have to be installed on the game controllers, if at all possible.
Within my answer I pointed out that the problem described is probably related to the update for Windows 10, where Microsoft deactivates older Bluetooth controllers for security reasons. Later I have seen a tweet from @phantomofmobile, addressing this issue too.
— Crysta T. Lacey (@PhantomofMobile) 12. Juni 2019
Microsoft blocks unsecure Bluetooth controller
Microsoft has documented the reason for the deactivated Bluetooth chips. The KB article KB4503293 Cumulative Update for Windows 10 Version 1903 (and KB4503290, Security-only Update for Windows 8.1) contains the following explanation:
Addresses a security vulnerability by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use well-known keys to encrypt connections, including security fobs. If BTHUSB Event 22 in the Event Viewer states, “Your Bluetooth device attempted to establish a debug connection….”, then your system is affected. Contact your Bluetooth device manufacturer to determine if a device update exists. For more information, see CVE-2019-2102 and KB4507623.
So this update fixes a security vulnerability by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use known keys to encrypt connections. This patch of the Bluetooth functionality is contained within all updates for Windows 8.1 to Windows 10 (including the server variants).
In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate attacker to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052.
Microsoft itself states that any device that uses known keys to encrypt connections may be affected. This also applies to certain security USB keys – but I don’t know whether Google’s Titan Key or the Yubi Key is affected. Microsoft recommends that you contact the manufacturer of your Bluetooth device to determine if there is a device update.
I can’t say for sure whether it applies to the scenario described above as a user case, but the error pattern described fits. The whole thing may be stupid for those affected, but it is a security measure, as nonsense can be made about the attack vector. However, the attacker must be in the vicinity of the Bluetooth device and paired Bluetooth devices are required.