Bluetooth security can sometimes be just a “blur”
Why it matters: Most newer Bluetooth devices pair more easily thanks to the Just Works security model implemented in Bluetooth 4.0 and newer standards. However, that added convenience can be exploited by an attacker to compromise all of your Bluetooth devices.
The Bluetooth Special Interest Group has confirmed the existence of a vulnerability in Bluetooth 4.2 and Bluetooth 5.0 that allow an attacker within wireless range to essentially overwrite the pairing key and get access to other Bluetooth devices that you may have paired with the one they compromised.
The flaws were found by two separate research teams at Purdue University and the École Polytechnique Fédérale de Lausanne. Collectively dubbed “BLURtooth,” they have to do with a process called Cross-Transport Key Derivation (CTKD), which is used to negotiate the authentication keys for pairing Bluetooth devices that are compatible with the Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) standards.
Update: A spokesperson for the Bluetooth SIG contacted TechSpot to clarify a few statements and bring an update to their original public statement. While initially it was indicated the BLURtooth vulnerability could impact devices using Bluetooth Core Specification versions 4.0 through 5.0, this has now been corrected to just versions 4.2 and 5.0. In addition, the vulnerability does not impact all devices. To be potentially open to attack, a device must support both BR/EDR and LE simultaneously, support cross-transport key derivation, and leverage pairing and derived keys in a specific way.
A fix for this issue is outlined in the Bluetooth Core Specification 5.1 and later, and the Bluetooth SIG has recommended to members with vulnerable products that they incorporate this change into older designs, where possible.
The issue could potentially affect millions of smartphones, tablets, laptops, and countless IoT devices that support dual-mode pairing. Many devices pair using the Just Works security model — which doesn’t offer protection from Man-in-the-Middle (MITM) attacks or passive eavesdropping — so the attacker can use this convenience to impersonate your Bluetooth device and gain access to others that use strong encryption keys.
On the upside, these attacks require the hacker to be within wireless range, which in practice can be a lot shorter than the theoretical maximums in the official spec. Bluetooth SIG is currently working with manufacturers to develop firmware updates for affected devices, and the upcoming Bluetooth 5.1 specification will include restrictions that will prevent encryption key overwrites.
Still, this is becoming a worrying trend where we see two serious vulnerability disclosures every year — from exploits that are as easy as turning a knob to attacks that make it trivial to track you through your smartphone or wearable devices.