Home Security BLURtooth Vulnerability Threatens Secure Bluetooth Device Connections

BLURtooth Vulnerability Threatens Secure Bluetooth Device Connections

by Abeerah Hashim

A newly discovered vulnerability dubbed BLURtooth has made it into the news, the exploit literally blurs safe pairing between Bluetooth devices.

About BLURtooth Vulnerability

Reportedly, the Bluetooth Special Interest Group (SIG) and  CERT Coordination Center at the Carnegie Mellon University (CERT/CC) have published security alerts regarding a serious Bluetooth flaw.

Specifically, the vulnerability resides in the Cross-Transport Key Derivation (CTKD) component of Bluetooth standard. This component is primarily responsible for setting up encryption keys when two devices pair.

The component ideally generates two pairs of authentication keys for the two Bluetooth standards; Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) standard. It then leaves it to the devices to choose the appropriate key standard.

This is where the vulnerability, CVE-2020-15802, exists. As stated by Bluetooth SIG,

The researches identified that CTKD, when implemented to older versions of the specification, may permit escalation of access between the two transports with non-authenticated encryption keys replacing authenticated keys or weaker encryption keys replacing stronger encryption keys.

Such meddling with encryption keys allows an adversary to connect vulnerable devices to the wrong devices.

Though for a successful attack, an attacker must be present within the wireless range of vulnerable Bluetooth enabled devices.

Recommended Mitigations

The vulnerability poses a threat to devices with Bluetooth Specifications 4.2 through 5.0.

However, Bluetooth Core Specification versions 5.1 and later, despite being vulnerable, bear features that can be activated to prevent such attacks. According to Bluetooth SIG, Bluetooth 5.1 already mandates certain restrictions on Cross-Transport Key Derivation (CTKD).

Thus, for now, they recommend,

The Bluetooth SIG is recommending that potentially vulnerable implementations introduce the restrictions on Cross-Transport Key Derivation mandated in Bluetooth Core Specification versions 5.1 and later.

Besides, they have also communicated with the vendors regarding necessary patches. Though, a timeline for the arrival of such patches remains unclear.

Nonetheless, they advise users to ensure keeping their devices updated with the latest patches provided by the respective manufacturers.

The following two tabs change content below.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Source link

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We will assume you are ok with this, but you can opt-out if you wish. Accept Read More

%d bloggers like this: