Microsoft warns that Windows 10 update will break some Bluetooth devices

midian182

Posts: 5,866   +48
Staff member

First reported by WindowsLatest, Microsoft said its new security update (CVE-2019-2102) addresses a vulnerability by intentionally preventing connections between the OS and “unsecure” Bluetooth devices.

“You may experience issues pairing, connecting or using certain Bluetooth devices after installing security updates released June 11, 2019,” the company writes.

Microsoft notes that any device using well-known keys to encrypt connections may be affected, which includes certain security fobs. All versions of Windows 10 will receive the update, along with Windows 8.1. Exactly how many devices might be borked by the update is unclear, and it appears that the only way to find out is if your Bluetooth accessory stops pairing.

Microsoft did say that advanced users can verify if their Bluetooth device is affected by checking the Event Log for the following event:

The Redmond company offered a solution for those who find their Bluetooth devices aren’t working: “contact the manufacturer of your Bluetooth device to determine if a device update exists.” If no updates exist, you’re left with the choice of avoiding the update, rolling it back, or buying a replacement device.

While we’ve seen plenty of Windows updates unintentionally break features in the past, this time it's an intentional change. Microsoft says it's there to make a computer more secure, but some users aren’t happy about the situation.

Permalink to story.

 

Mugsy

Posts: 651   +111
There is nothing wrong with the update. It's closing a security hole. Time to update your Bluetooth device. Don't like it, well maybe let the Bluetooth manufacturers know...
If MS releases an update that renders some devices useless, it's up to *MS* to provide working drivers, not tell users, "Tough $#!+. Pray your device manufacturer released an update."
 

texasrattler

Posts: 920   +398
If MS releases an update that renders some devices useless, it's up to *MS* to provide working drivers, not tell users, "Tough $#!+. Pray your device manufacturer released an update."
Its a security risk they are responsible not for the any device that the user uses.
 
I am sick of windows and when I initially upgraded from 8.1, I lost my Bluetooth and Blu-ray and was told it must have never existed by a Microsoft tech and no matter what fix I did, it didn't matter. I know it existed because I used both and aside from purchasing new hardware that I can't afford, I never got it fixed and every update for Win10 they release causes problems on EVERY device I have that is running it. I know Apple products are pricey but I don't ever hear about them making everyone's PC's problematic like Windows! I think it's wrong to release something that isn't user friendly for all devices running it. I mean minor glitches are expected as devices vary as well as the user but this is getting ridiculous and I feel that Windows 10 is the beginning of the end for Microsoft. I don't consider myself an expert with computers but I am no dummy either and continuing to use an OS that sucks makes me feel like one!! I have an Asus X551MA and it's like Windows forgot about Asus users when they created Windows 10 initially and now for every fix or update they send out, 5 more things go wrong!
 
  • Like
Reactions: Mugsy

Mugsy

Posts: 651   +111
Try reading. Its not another problem.
If it breaks something and they don't also provide the fix, it's a problem.

If this is a serious issue, Windows 7 (which is still currently supported) should also be affected and a patch for it released. Where is it?

And wouldn't the same device have the same security flaw when used from Linux? :bomb:
 

onestepforward

Posts: 165   +73
There is nothing wrong with the update. It's closing a security hole.
I tend to agree with you and MS should be commended for its work on trying to make Windows more secure. On the other hand MS is forcing updates on its users and doing so without giving them are really notice. And then there are the continued problems with updates. Even this morning I was reading about the latest update breaking some other aspect of Windows.

I can only begin to wonder how frustrating it is to be a Windows user. Well, that not entirely correct because my employer requires me to use a Windows computer. Don't get me started . . . !
 

Knot Schure

Posts: 292   +126
Will this be pushed to Server 2019 also?

I run a Bluetooth > Serial dongle I put in servers, and I'd hate to lose that functionality - as I can gain console access anywhere in an equipment room...without being tethered.
 

DukeJukem

Posts: 164   +120
I honestly think this is just a lazy way of fixing the issue. I'm sure there was a way to patch the security risk without disabling these bluetooth devices. Thousands upon thousands of people are going to have their computer reboot and their stuff isn't going to work, which is just bad practice to me. Not everyone comes to tech sites like these so they can prepare themselves/figure out the issue they're having. I feel microsoft simply didn't want to work hard enough to fix the issue so they just went the easy route and simply shut it all down. Terrible practice.

I may be wrong here is well so correct me if I am but im not researching it. This issue could also effect mice and keyboards and this could literally prevent people from completing their work. I don't understand microsoft anymore. Once easyanticheat games are running well on linux without a passthrough or something I'm gone.
 

regiq

Posts: 237   +113
Will this be pushed to Server 2019 also?

I run a Bluetooth > Serial dongle I put in servers, and I'd hate to lose that functionality - as I can gain console access anywhere in an equipment room...without being tethered.
This is the scenario where this patch could actually increase security... :)

Edit: Except that no hacker would use win10 in the first place...
 
Last edited:

gamerk2

Posts: 400   +275
I honestly think this is just a lazy way of fixing the issue. I'm sure there was a way to patch the security risk without disabling these bluetooth devices. Thousands upon thousands of people are going to have their computer reboot and their stuff isn't going to work, which is just bad practice to me. Not everyone comes to tech sites like these so they can prepare themselves/figure out the issue they're having. I feel microsoft simply didn't want to work hard enough to fix the issue so they just went the easy route and simply shut it all down. Terrible practice.

I may be wrong here is well so correct me if I am but im not researching it. This issue could also effect mice and keyboards and this could literally prevent people from completing their work. I don't understand microsoft anymore. Once easyanticheat games are running well on linux without a passthrough or something I'm gone.
I point out drivers that are conform to best practices shouldn't have any problems. And I can say for certain for a change like this most BT manufactures would have been informed. I'd be shocked if more then a couple dozen devices break, and most will get updates within a day or two.
 

DukeJukem

Posts: 164   +120
I point out drivers that are conform to best practices shouldn't have any problems. And I can say for certain for a change like this most BT manufactures would have been informed. I'd be shocked if more then a couple dozen devices break, and most will get updates within a day or two.
this is honestly microsofts fault for having a garbage operating system in the first place. the user shouldn't have to worried about stupid issues like this. one day they're going to release a windows update that accidently breaks the signal being sent to their monitor at the rate they're going. ever since gates stepped down the company has went completely south.
 

kenc1101

Posts: 37   +36
There is nothing wrong with the update. It's closing a security hole. Time to update your Bluetooth device. Don't like it, well maybe let the Bluetooth manufacturers know...
If MS releases an update that renders some devices useless, it's up to *MS* to provide working drivers, not tell users, "Tough $#!+. Pray your device manufacturer released an update."
No, it's up to the manufacturer of the device to release an updated driver that complies with security standards. Because a manufacturer is lazy and releases security flawed drivers does not put the onus on Microsoft to fix their ****. Microsoft is doing the right thing here.
 

kenc1101

Posts: 37   +36
Microsoft is doing the right thing here by closing the gaping security holes. Kudos. Manufacturers, get your **** together and stop putting out devices with flawed drivers. The standards are out there. Use them.
 

kenc1101

Posts: 37   +36
I honestly think this is just a lazy way of fixing the issue. I'm sure there was a way to patch the security risk without disabling these bluetooth devices. Thousands upon thousands of people are going to have their computer reboot and their stuff isn't going to work, which is just bad practice to me. Not everyone comes to tech sites like these so they can prepare themselves/figure out the issue they're having. I feel microsoft simply didn't want to work hard enough to fix the issue so they just went the easy route and simply shut it all down. Terrible practice.

I may be wrong here is well so correct me if I am but im not researching it. This issue could also effect mice and keyboards and this could literally prevent people from completing their work. I don't understand microsoft anymore. Once easyanticheat games are running well on linux without a passthrough or something I'm gone.
They aren''t shutting it all down. They are not allowing unsecure devices to connect via bluetooth after the update which is smart.
 

Capsaicin

Posts: 8   +5
~sigh~ hours of wasted troubleshooting only to find out microsoft isn’t up front about not pairing bluetooth devices. I wonder which lame brain executive made that decision.
 

gamerk2

Posts: 400   +275
this is honestly microsofts fault for having a garbage operating system in the first place. the user shouldn't have to worried about stupid issues like this. one day they're going to release a windows update that accidently breaks the signal being sent to their monitor at the rate they're going. ever since gates stepped down the company has went completely south.
You know, I wonder if anyone here actually bothered to read the security bulletin:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2102

In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate attacker to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052.
This is a case where a potential vulnerability exists within the BT spec itself, and MSFT is addressing it via an OS update. This isn't strictly an OS problem, but a problem that can arise from the way device drivers implement Long Term Key's.
 

jtveg

Posts: 67   +17
I really don't like it when manufacturers take it upon themselves to baby their customers, for whatever reason. This is the main reason I don't like Apple.

What I feel should happen is that you receive a warning that:

[ The bluetooth device you are attempting to pair with has compromised security. Pairing is not recommended. Continue at own risk. ]

That way you can still use your device if you really want to and be responsible for any consequences.

Supposing you live on a farm and your nearest neighbour is 5 miles away. Obviously no bluetooth signal can go that far.
 
  • Like
Reactions: regiq

Darth Shiv

Posts: 2,047   +630
Screw Microsoft...
For what reason? Closing a security hole large enough to drive a Mac truck through?

See, if the OS isn't secure, people complain about it. But if the security holes are fixed and some non-conformant things break, people complain about it. There's literally no way to win.
Except that it's not a big problem. No one is going to hack a connection to a headset and even if they did, what they would gain is extremely minimal. Microsoft has their head up their bums where security priorities are concerned.
I'd say more that MS should give the CONSUMER the option to pair anyway.
 
  • Like
Reactions: retsxel

gamerk2

Posts: 400   +275
I'd say more that MS should give the CONSUMER the option to pair anyway.
No, then it becomes just another form of UAC, and you KNOW 99% of all users will just hit "OK". If you want to get serious about security, you have to take control away from users, who will always be the weak link.
 
  • Like
Reactions: texasrattler

gamerk2

Posts: 400   +275
Why does that matter? It is still up to the user to decide how to use their own system and equipment. It's not for Microsoft to decide.
Actually, it kinda is. We are well past the point where security can be left up to users doing the right thing, and if you all forget, ALL OF YOU criticized Microsoft for it's security practices. You can't have it both ways.
 
  • Like
Reactions: texasrattler

gc757

Posts: 9   +8
Fact is you're talking about "The Public"... And we all know that "The Public" is NEVER satisfied! Damned if you do and damned if you don't. If you gave them a free program and added a free new car with it they would complain about the color of the car!