Windows guidance for Bluetooth key length enforcement

A security vulnerability has been found in the minimum encryption key length used to establish connections with Bluetooth BR/EDR devices (basic rate/enhanced data rate, also known as "Bluetooth Classic"). To exploit this vulnerability, an attacker needs specialized hardware and is limited by the signal range of the Bluetooth devices in use. When the devices are pairing or connecting, the attacker may be able to interfere and intercept the signal and force encryption key size down to 1 byte, down from the maximum of 16 bytes. This may potentially allow the attacker to decrypt the signal and the personal data within it or hijack the devices themselves.

Note Bluetooth Low Energy (Bluetooth LE) devices are not be affected by this issue.

For more information about this security vulnerability, see:

• Mitre: CVE-2019-9506
• Microsoft Security Update Guide: CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability

Note At the time of disclosure, we are not aware of this vulnerability being exploited maliciously.  

To address this vulnerability, on August 13, 2019 Microsoft released a Windows security update (as part of an industry-wide coordination) with a Windows Bluetooth (BT) encryption key size enforcement feature across all supported Windows operating system platforms. This mitigation is off by default and must be enabled via registry key. 

Customers must enable this functionality by setting a specific flag in the registry. When the flag is set, the Windows software will read the encryption key size and reject the Bluetooth connection if it does not meet the defined minimum key size. If your device does not support the higher-level key length, the update may block connections with that device when the registry flag is set.  

Previously, the firmware of Bluetooth Classic devices would negotiate and determine the level of encryption for the key length from 1 byte to 16 bytes key length.  After installing the August 13, 2019 security update -- and enabling the EnableMinimumEncryptionKeySize registry key -- Windows will reject any Bluetooth connection less than 7 bytes key length.  If your Bluetooth device, the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio does not support 7 bytes or more encryption key length, then it may have issues pairing when the registry key EnableMinimumEncryptionKeySize is set to a value of 1.  

Users who have issues connecting their Bluetooth devices after installing and enabling this functionality should check to see if the manufacturer of their Bluetooth controller is providing additional guidance on updates and mitigations.  If the policy is enabled and the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio do not support the HCI_Read_Encryption_Key_Size, your Bluetooth devices may no longer work. 

Note If you are having issues pairing or connecting Bluetooth devices but have not enabled the EnableMinimumEncryptionKeySize registry key or the errors in event log are not the ones listed below, please refer to the Bluetooth troubleshooting tips in KB4507623. 

If you would like to enable the mitigation for this security vulnerability, you will need to do so manually. This mitigation is off by default. This ensures that peripherals with encryption key size < 7 continue to operate until an administrator sets the registry key.  If the registry key is set, any connection where (a) the key length is < the encryption key size or (b) the key length is being lowered from what was previously negotiated (detected attack), will be blocked.  By default, the minimum allowed encryption key size = 7. The registry key state will be preserved upon upgrade. 

Please note we are shipping this mitigation off by default because during testing of encryption key length enforcement, we found that some Bluetooth controllers may not respond or stop pairing. Some BT devices may not support the minimum encryption key length enforced by the Microsoft update.  We understand that compatibility with your devices is important and as we cannot guarantee compatibility with key enforcement enabled.  You can enable the mitigation based on your own risk assessment and compatibility needs. If you have access to sensitive data and use the device in an area that does not have physical security, we recommend enabling the mitigation for this security vulnerability.   

Note Testing is recommended between any hosts and devices you plan to use together with EnableMinimumEncryptionKeySize enabled. We suggest deploying to devices where you have tested the configuration, or Bluetooth usage is not critical to the intended role of the device.   

Before deploying this mitigation in your environment, we recommended you first test any known devices (see issues below) and that you warn users of potential issues with untested Bluetooth devices. If you encounter issues, you will need to check for updated firmware or drivers for your devices or contact the manufacturer of your device. 

Issues you may encounter may include: 

• Bluetooth devices may fail to pair or connect to your Windows Device. 

• The Bluetooth radio in your Windows device may stop responding. 

• You may receive an Event 48 in System event log: 

• You may receive an Event 49 in System event log: 

Important Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

1. Select Start, select Run, type Regedit in the Open dialog box, and then select OK.
2. Locate and select the following registry subkey: HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth
3. On the Edit menu, select Modify to modify the EnableMinimumEncryptionKeySize registry entry.
4. In the Value data box, type 1, and then select OK. This sets the "EnableMinimumEncryptionKeySize"=dword value to 00000001
5. Exit Registry Editor.
6. Restart the Windows device.

If you do not want to restart your Windows device, you can reset your Bluetooth device instead:

1. On the device, go to the Bluetooth Settings.
2. Turn off Bluetooth.
3. Open Device Manager and locate the Bluetooth Controller.
4. Right-click or long press on the Bluetooth Controller and select Disable device.
5. After the device is disabled, right-click again and select Enable device.
6. Turn on Bluetooth in Bluetooth Settings