Can't pair certain Bluetooth devices anymore on Windows 8 or 10? That's intentional
Microsoft released security updates for all supported versions of the Windows operating system on June 11, 2019. Some of the released updates patch a Bluetooth security vulnerability by "intentionally preventing connections between Windows and Bluetooth devices that are not secure and use well-known keys to encrypt connections, including security fobs".
In other words: Windows prevents the pairing of certain Bluetooth devices with Windows systems after the latest security update is installed.
Microsoft notes:
You may experience issues pairing, connecting or using certain Bluetooth devices after installing security updates released June 11, 2019. These security updates address a security vulnerability by intentionally preventing connections from Windows to unsecure Bluetooth devices.
A support page on the Microsoft Support website highlights the affected versions and updates:
- Windows 10: all versions.
- Windows 8.1
- Window Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Embedded 8 Standard
The CVE reveals that the issue affects Android devices only. It lists Android version 7.0 to Android 9 as potentially affected. Whether a device is affected depends on the manufacturer. If the manufacturer used a provded example Long Term Key, it is affected by the issue.
In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate attacker to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052.
Administrators may check the Event Log to find out if a Bluetooth device is affected by the intentional change:
- Load the Event Viewer from the Start Menu.
- Switch to Windows Logs > System.
- Locate the following events:
- Event Log: System
- Event Source: BTHUSB or BTHMINI
- Event ID: 22
- Name: BTHPORT_DEBUG_LINK_KEY_NOT_ALLOWED
- Level: Error
- Event Message Text: Your Bluetooth device attempted to establish a debug connection. The Windows Bluetooth stack does not allow debug connection while it is not in the debug mode.
- If you see the event listed you know that the Bluetooth device is affected by the change.
Microsoft suggests to contact the manufacturer of the Bluetooth device to determine whether device updates are available. These need to update the connection options of the Bluetooth device to address the security issue for the device.
Options to connect affected Bluetooth devices, e.g. by overriding the intentional change, have not been revealed by Microsoft. The only option to restore pairing functionality for affected devices for which updates are not available is to restore an earlier version of the Windows operating system. Doing so would open the system up for attacks targeting that vulnerability, however. (via Deskmodder, Windows Latest)
I have upgraded to windows 7 and this problem no longer occurs.
Whatever but punishing the user for a software vulnerability by entirely disallowing the functionality instead of cautioning the user is hardly the right decision.
Hmmph! Something else in Windows not doing what it is supposed to do. Nothing new in that.
OK. My Dell laptop will Bluetooth the Android phone but won’t Bluetooth to Bose Solo 5 sound bar. My Android phone does Bluetooth to the Bose Solo 5.
Microsoft Google battle?
“intentionally preventing connections between Windows and Bluetooth devices that are not secure..” the issue affects Android devices only..
Not Android devices only but other devices like Microsoft’s own BT keyboards..
Meh, who needs Bluetooth anyway? Microsoft have done a great job with Windows 10 and we should appreciate that.
Does the BLE vulnerability affect the security of Windows, though? If not, then making Windows refuse to connect with them is an unnecessary limitation that will do nothing to enhance user security.
If it’s “android only” this must be related to the useless phone feature. I just checked and my PS3 controller still works.
M$ is so concerned about the security for its users, whereas there is absolutely no concern if a concern cannot use his/her smart phone anymore. Happy days are here again.