Bluetooth Special Interest Group (SIG) and the CERT Coordination Center at the Carnegie Mellon University (CERT/CC) have disclosed a vulnerability that could allow attackers to overwrite Bluetooth authentication keys and perform a man in the middle (MitM) attack.
The vulnerability dubbed BLURtooth (CVE-2020-15802) resides in the Cross-Transport Key Derivation (CTKD) Bluetooth standard, which sets up authentication keys for dual-mode devices that support both Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) transport methods.
“The researches identified that CTKD, when implemented to older versions of the specification, may permit escalation of access between the two transports with non-authenticated encryption keys replacing authenticated keys or weaker encryption keys replacing stronger encryption keys,” according to a security alert released by Bluetooth SIG.
If exploited, the vulnerability allows an attacker to overwrite and lower the strength of the LTK or Link Key (LK) encryption keys used to pair devices. The successful attack requires from the attacker “to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing.”
“Vulnerable devices must permit a pairing or bonding to proceed transparently with no authentication, or a weak key strength, on at least one of the BR/EDR or LE transports in order to be susceptible to attack. For example, it may be possible to pair with certain devices using JustWorks pairing over BR/EDR or LE and overwriting an existing LTK or LK on the other transport. When this results in the reduction of encryption key strength or the overwrite of an authenticated key with an unauthenticated key, an attacker could gain additional access to profiles or services that are not otherwise restricted,” explained experts at the Carnegie Mellon University.
The BLURtooth vulnerability impacts all devices using the Bluetooth standard 4.0 through 5.0. The Bluetooth 5.1 standard comes with features that allow to prevent such attacks. For now, there is no ETA on when patches resolving the issue will be released. Meanwhile, the Bluetooth SIG has released recommendations for mitigating this issue.