A new vulnerability is found in some implementations of Bluetooth 4.0 through 5.0 that lets an attacker to overwrite or lower the strength of the pairing key, giving them access to authenticated services.
The bug named BLURtooth was discovered and reported independently by researchers at Purdue University and École Polytechnique Fédérale de Lausanne (EPFL).
It affects “dual-mode” Bluetooth devices, like modern smartphones.
This vulnerability resides in a component of the Bluetooth standard named Cross-Transport Key Derivation (CTKD). This component is used for negotiating and setting up authentication keys when pairing two Bluetooth-capable devices
BLURtooth can be exploited on devices that support both Bluetooth Classic and Low Energy (LE) data transport methods and use Cross-Transport Key Derivation (CTKD) for pairing with each other.
The former mode which is needed in applications that require a higher throughput at a constant rate (e.g. headphones), is technically referred to as Basic Rate/Enhanced Data Rate (BR/EDR).
Bluetooth LE is less data-intensive and is used in applications where information is needed in short bursts, for e.g. smaller sensors, which also conserves energy.
According to a security advisory published by Carnegie Mellon CERT Coordination Center, when CTKD is used for pairing dual-mode Bluetooth devices, the procedure happens only once over one of the two data transport methods.
In the process, Long Term Keys / Link Keys (LTK/LK) are generated which can be overwritten for cases where the transport enforces a higher level of security, which is what a BLUR attack takes advantage of.
The Bluetooth 5.1 standard comes with features that can be activated and prevent BLURtooth attacks
The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, also started notifying vendors of Bluetooth devices about the BLURtooth attacks and how they could mitigate its effects when using the 5.1 standard.
An attacker in the Bluetooth proximity of a vulnerable target device could spoof the identity of a paired device to overwrite the original key and access authenticated services.
BLURtooth is also suitable for man-in-the-middle (MitM) type of attacks, with the attacker sitting between two vulnerable devices that had been linked using authenticated pairing.
As of now, patches are not immediately available and the only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering.
Also, the number of vulnerable devices is unclear and hard to quantify.
Users can check if a patch is available for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, which is the bug identifier of the BLURtooth vulnerability.
Image Credits : TechSpot