The organizations behind the Bluetooth wireless technology has published guidance today on how device vendors can mitigate a new attack on Bluetooth capable devices.
Named BLURtooth, this is a vulnerability in a component of the Bluetooth standard named Cross-Transport Key Derivation (CTKD).
This component is used for negotiating and setting up authentication keys when pairing two Bluetooth-capable devices.
The component works by setting up two different sets of authentication keys for both the Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) standard.
CTKD’s role is to have the keys ready and let the paired devices decide what version of the Bluetooth standard they want to use. It’s primary use is for the Bluetooth “dual-mode” feature.
BLURtooth attack leads to key overwrite
But according to security notices published today by the Bluetooth Special Interest Group (SIG) and the CERT Coordination Center at the Carnegie Mellon University (CERT/CC), an attacker can manipulate the CTKD component to overwrite other Bluetooth authentication keys on a device, and grant an attacker connecting via Bluetooth access to other Bluetooth-capable services/apps on the same device.
In some versions of the BLURtooth attack, the authentication keys can be overwritten completely, while in other authentication keys can be downgraded to use weak encryption.
All devices using the Bluetooth standard 4.0 through 5.0 are vulnerable. The Bluetooth 5.1 standard comes with features that can be activated and prevent BLURtooth attacks.
Bluetooth SIG officials say they started notifying vendors of Bluetooth devices about the BLURtooth attacks and how they could mitigate its effects when using the 5.1 standard.
Patches… uhm… will be ready… when they’re ready
Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering (tricking the human operator).
However, patches are expected to be available at one point. When they’ll be, they’ll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.
The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.
Users can keep track if their device has received a patch for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, the bug identifier of the BLURtooth vulnerability.
According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.