Cyber-security researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University have identified key security vulnerabilities in certain Bluetooth implementations that leave Bluetooth devices critically vulnerable to a number of different attacks. Named BLURtooth, the vulnerability (CVE-2020-15802) affects the Cross-Transport Key Derivation (CTKD) component in Bluetooth 4.0 to Bluetooth 5.0, enabling attackers to gain unauthorized access to a compromised device.
According to the CERT Coordination Center at the Carnegie Mellon University, the flaw leaves Bluetooth devices vulnerable to several potential hacking threats, including Man in the Middle (MiTM) attacks. While the problem only happens when such devices perform pairings without authentication or has a weak key strength, the bug can also allow attackers to reduce encryption strength by overwriting an authenticated key with an unauthenticated key.
Researchers say that dual-mode Bluetooth devices that support both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation (CTKD) for pairing are at risk against the key-overwrite vulnerability, enabling attackers to gain access to unrestricted profiles or services on compromised devices. For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both the aforementioned standards.
The Bluetooth SIG has taken cognizance of the issue and has issued a statement on how to mitigate the threat. The organization is recommending that “potentially vulnerable implementations introduce the restrictions on Cross-Transport Key Derivation mandated in Bluetooth Core Specification versions 5.1 and later”. The organization also encouraged Bluetooth users to ensure that they install the latest recommended updates from their device manufacturers.
