Experts from CERT and the Bluetooth Special Interest Group (SIG) have released information on the BLURtooth vulnerability, which poses a threat to all devices using Bluetooth from version 4.0 to version 5.0.
Bluetooth 5.1 has features that can be enabled for prevention of attacks, and the Bluetooth SIG already informs manufacturers on how they can mitigate the 5.1 vulnerability.The vulnerability was discovered by specialists from the Federal Polytechnic School of Lausanne and Purdue University and was named BLURtooth (CVE-2020-15802). The problem is related to the Cross-Transport Key Derivation (CTKD) standard that use Bluetooth devices.
While pairing devices, CTKD is used to negotiate and configure authentication keys between them. The fact is that for the Bluetooth Low Energy (BLE) and Basic Rate / Enhanced Data Rate (BR / EDR) standards, are used two different sets of keys.
Basically, the role of CTKD is to prepare keys and let devices determine which version of the Bluetooth standard they will use”, – say CERT researchers.
Experts warn that using BLURtooth, an attacker can manipulate CTKD and overwrite authentication keys on a device, which ultimately gives an attacker connecting via Bluetooth access to other Bluetooth services and applications on this device.
For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing”, — write Bluetooth SIG specialists.
In some cases, authentication keys can be completely overwritten using BLURtooth, while in other cases, the keys can be downgraded and the encryption version is weakened.
Unfortunately, patches for this problem are not yet available, and the only way to protect against BLURtooth is to control the environment in which the devices are paired in order to prevent man-in-the-middle attacks and pairing with malicious devices.
The exact timing of the release of the fixes has not yet been announced. Most likely, in the future, such patches will be integrated into firmware or OS updates for Bluetooth-enabled devices.
Let me remind you that we also talked about a new Bluetooth attack called BIAS that endangers devices with firmware from Apple, Broadcom, Cypress, Intel and Samsung.
