Two teams of researchers from the Purdue University and Swiss Federal Institute of Technology Lausanne have independently discovered a severe flaw (CVE-2020-15802) in Bluetooth’s CTKD (Cross-Transport Key Derivation) pairing system. Apparently, the pairing keys are susceptible to overwrite, which would enable a malicious actor to access profiles and services through an escalation of access, and potentially even perform man-in-the-middle (MitM) attacks.
The vulnerability is being referred to as “BLURtooth,” which was maybe chosen to denote the blurred line between the open space of Bluetooth’s LE aspect and the user’s sensitive information.
For the attack to work, the hacker needs to be within the target device’s range and also needs to spoof the identity of a paired or bonded device. The target device needs to permit pairing with no authentication or the use of weak keys, and need to operate on LE (low-energy) or BR/EDR (Basic Rate/Enhanced Data Rate) mode.
The attacker could use the dual-mode device to generate a Long Term Link Key (LTK) and overwrite the original link key. This essentially opens the door to user profiles and services, which are not protected otherwise.
The question that arises from this is which devices are affected. Bluetooth 4.0, 4.2, and 5.0 are vulnerable to these “BLUR attacks,” so the official recommendation is for vendors to introduce the restrictions on CTKD that are mandated in Bluetooth Core Specification 5.1 and later. Bluetooth SIG has already reached out to its member companies, sharing all technical details about the discovered flaw and helping them develop effective remedies.
Of course, writing patches, testing, releasing, and finally pushing the fixing code via updates takes time, so these flaws cannot be mitigated through the main channel immediately. And also, Bluetooth SIG is just one of the vendors affected by BLURtooth, with over a hundred vendors still not having clarified whether they are affected. Clearly, we’re still at a very early stage in the mitigation effort.
From the user’s perspective, the things you can do are to apply updates as soon as they are being made available, shut off your Bluetooth when you’re not actively using it, and avoid crowded places. That should be easy to do nowadays anyway.
UPDATE - Bluetooth SIG has sent us the following statement, which further clarifies some of the above, and also sheds more light on the applicability of BLURtooth: