BLURtooth Vulnerability Gives Attackers a Route to Downgrade, Disable Bluetooth Encryption

The Bluetooth Special Interest Group (Bluetooth SIG) has issued a warning about a newly-discovered security vulnerability affecting dual-mode devices supporting both Bluetooth Classic and Bluetooth Low Energy (BLE): BLURtooth.

Discovered independently by researchers working at École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University and brought to our attention by Bleeping Computer, BLURtooth is a vulnerability family in the Cross-Transport Key Derivation (CTKD) system used to secure Bluetooth Basic Rate (BR), Bluetooth Enhanced Data Rate (EDR), and Bluetooth Low Energy (BLE) connections on Bluetooth 4.0 through to 5.0 devices — allowing, if successfully exploited, attackers to downgrade encryption keys or even replace them entirely.

"For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing," the Bluetooth SIG explains in mitigation.

"If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur. This may permit a Man In The Middle (MITM) attack between devices previously bonded using authenticated pairing when those peer devices are both vulnerable."

The vulnerability has been given the identifier CVE-2020-15802, with Carnegie Mellon's CERT Coordination Center posting details of its impact. The Bluetooth SIG, meanwhile, is recommending that vendors implement restrictions in CTKD usage which became mandatory in Bluetooth Core Specification 5.1 and later — even if their devices are designed to comply with earlier revisions of the spec.

Bluetooth SIG's full response is available on the official website.