BLURtooth vulnerability in Bluetooth devices can be used by hackers to launch Man-in-the-Middle(MiTM) attack and steal confidential information, access authenticated services
Security researchers have discovered a new Bluetooth vulnerability that allows hackers to perform Man-in-the-Middle (MiTM) attacks on Bluetooth devices like smartphones, IoT devices, and steal confidential information or access authenticated services.
The vulnerability was discovered by a research team consisting of academicians from École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University. The researchers have named this new Bluetooth vulnerability as “BLURtooth.”
The BLURtooth vulnerability has been issued a unique identifier CVE-2020-15802, however, both MITRE and NIST are yet to update their vulnerability database. The BLURtooth vulnerability exists in the Bluetooth’s Cross-Transport Key Derivation (CTKD), which sets up authentication keys for dual-mode devices (i.e. smartphones) that support both Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) transport methods.
The researchers say that hackers can use the BLURtooth vulnerability to overwrite and lower the strength of the LTK or Link Key (LK) encryption keys used to pair devices. Once the hackers reduce the key strength or remove the encryption key, they can perform a Man-in-the-Middle (MiTM) attack on the target device with ease.
“Vulnerable devices must permit a pairing or bonding to proceed transparently with no authentication, or a weak key strength, on at least one of the BR/EDR or LE transports in order to be susceptible to attack. “For example, it may be possible to pair with certain devices using JustWorks pairing over BR/EDR or LE and overwriting an existing LTK or LK on the other transport. When this results in the reduction of encryption key strength or the overwrite of an authenticated key with an unauthenticated key, an attacker could gain additional access to profiles or services that are not otherwise restricted.” Carnegie Mellon University blog post about vulnerability.
The researchers say that Bluetooth devices that had previously been paired but are currently unpaired may also be exposed to MITM by attackers within range. “If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur,” explained the Bluetooth Special Interest Group (SIG).
SIG says that there is no patch yet for the BLURtooth vulnerability. In the meantime, it recommended that “potentially vulnerable implementations introduce the restrictions on CTKD mandated in Bluetooth Core Specification versions 5.1 and later.”