BLURtooth flaw leaves devices open to man-in-the-middle attacks

The Bluetooth flaw CVE-2020-15802 affects all the “dual-mode” devices

Bluetooth bug opens devices to dangerous attacks.

A new high-severity Bluetooth vulnerability, named BLURtooth, could open the door to man-in-the-middle attacks or other types of exploitation. This flaw allows an attacker to downgrade or bypass Bluetooth encryption keys. The Bluetooth vulnerability affects all “dual-mode” devices running Bluetooth 4.2 through 5.0. So, it affects modern smartphones like the iPhone 11 or others.

According to the security notice,^[1] this bug, also known as CVE-2020-15802,^[2] was discovered and reported independently by two researchers teams at Purdue University and École Polytechnique Fédérale de Lausanne (EPFL). The problem exists in the Cross-Transport Key Derivation (CTKD) pairing process^[3] for Bluetooth implementations.

The Carnegie Mellon CERT Coordination Center wrote:^[4]

Devices supporting both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation (CTKD) for pairing are vulnerable to key overwrite, which enables an attacker to gain additional access to profiles or services that are not restricted by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key.

The BLURtooth attack could affect Bluetooth Classic & LE devices

So, hackers can exploit BLURtooth vulnerability on devices that support both Bluetooth Classic (also known as Bluetooth Basic Rate/Enhanced Data Rate, or simply BR/EDR) and Low Energy (BLE) data transport methods and use Cross-Transport Key Derivation (CTKD) for pairing with each other.

Usually, BR/EDR is used for audio applications: wireless telephone connections, wireless speakers, wireless headphones, etc. Meanwhile, BLE is more often used for wearable devices, fitness monitoring equipment, smart Internet of Things (IoT) devices, and battery-powered accessories.

It is clear that this error can affect many different devices. Therefore, users should think twice before using Bluetooth in vulnerable phones or other appliances.

The attacker must be close to the device for the vulnerability to be effective

One fact is clear – for this attack to be successful, the hacker must be within the wireless range of a vulnerable Bluetooth device. The distance can vary depending on the appliance: 330 feet for Bluetooth 4.0 and 800 feet for Bluetooth 5.0. Thus, the attacker must be not far from his victim.

If vulnerable devices are near, then hackers could sniff out communications between the two appliances, allowing them to spy on messages or potentially even alter them. But to be vulnerable, a device would need to support BR/EDR and BLE transport methods and also use CTKD. It must permit a bonding or pairing to proceed transparently with no authentication, or a weak key strength, on at least one type of transportation.

The Bluetooth SIG is recommending to introduce restrictions on CTKD for the potentially vulnerable devices. The same restrictions are in Bluetooth Core Specification versions 5.1 and later. They prevent the overwrite of an authenticated key or a key of a given length with an unauthenticated key or a key of reduced length. The Bluetooth SIG said:^[1]

The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.

It is worth remembering that this is not the first case of Bluetooth vulnerabilities. For example, researchers found security vulnerabilities on Bluetooth Classic in May.^[5] These flaws could have allowed hackers to harvest sensitive data.