BLURtooth is a new type of attack that uses a vulnerability in the most used wireless connection standard for mobiles — Bluetooth. Although the manufacturers and the organization behind the Bluetooth SIG standard are aware of this attack, there is nothing they can do to prevent it for now.
The Bluetooth Special Interest Group (SIG) issued a warning to all manufacturers and developers of this attack’s existence, including advice on how to mitigate it.
Two research groups at the École Polytechnique Fédérale de Lausanne (Switzerland) and Purdue University (USA) discovered the vulnerability (CVE-2020-15802) independently of one another. The Bluetooth versions 4.2 to 5.0 are affected, a patch is currently not available. Versions 5.1 and 5.2, however, are not affected.
The vulnerability is known as BLURtooth because it enables so-called blur attacks. With such attacks, hackers can access personal data on a device, which is stored there without further restrictions. The gap can be found in the cross-transport key derivation (CTKD) function. CTKD is used to negotiate and set up authentication keys between Bluetooth devices.
It has a set of keys for Bluetooth Low Energy (BLE) as well as for the Basic Rate / Enhanced Data Rate (BR / ED), the so-called dual-mode. If a connection is established via Bluetooth, the security gap can overwrite the authentication keys on the device or reduce their security. To do this, an attacking device must be within Bluetooth range, and pairing must take place.
If a Bluetooth device fakes another device’s identity and exchanges the key with CTKD during a pairing, this could “lead to access to authenticated services. This can lead to a man-in-the-middle attack (MITM attack) between devices that were previously connected using authenticated pairing if those peer devices are both vulnerable,” warns the Bluetooth Special Interest Group.
In this way, for example, inputs from connected Bluetooth keyboards or Bluetooth headsets could be monitored. However, services such as corona tracking that are based on a different cryptographic basis are not affected.
The new Bluetooth 5.1 already comes with some measures that, if activated, can prevent BLURtooth attacks; however, the rest of the versions have nothing similar.
Therefore, the Bluetooth SIG can only recommend basic measures to prevent attacks, such as controlling the environment in which we pair our devices, such as avoiding pairing a keyboard to our tablet in a public space. In addition, we must also be wary of social engineering attacks, suspecting if someone, even known, tries to make us pair a Bluetooth device with our mobile.
Although patches are already in development, these will have to be installed through system updates; And to be honest, the vast majority of affected devices will never be updated because their manufacturers have abandoned them.