Researchers Discover Bluetooth Vulnerability and Name It “BLURtooth”

By Bill Toulas / September 10, 2020

Two teams of researchers from the Purdue University and Swiss Federal Institute of Technology Lausanne have independently discovered a severe flaw (CVE-2020-15802) in Bluetooth’s CTKD (Cross-Transport Key Derivation) pairing system. Apparently, the pairing keys are susceptible to overwrite, which would enable a malicious actor to access profiles and services through an escalation of access, and potentially even perform man-in-the-middle (MitM) attacks.

The vulnerability is being referred to as “BLURtooth,” which was maybe chosen to denote the blurred line between the open space of Bluetooth’s LE aspect and the user’s sensitive information.

For the attack to work, the hacker needs to be within the target device’s range and also needs to spoof the identity of a paired or bonded device. The target device needs to permit pairing with no authentication or the use of weak keys, and need to operate on LE (low-energy) or BR/EDR (Basic Rate/Enhanced Data Rate) mode.

The attacker could use the dual-mode device to generate a Long Term Link Key (LTK) and overwrite the original link key. This essentially opens the door to user profiles and services, which are not protected otherwise.

The question that arises from this is which devices are affected. Bluetooth 4.0, 4.2, and 5.0 are vulnerable to these “BLUR attacks,” so the official recommendation is for vendors to introduce the restrictions on CTKD that are mandated in Bluetooth Core Specification 5.1 and later. Bluetooth SIG has already reached out to its member companies, sharing all technical details about the discovered flaw and helping them develop effective remedies.

Of course, writing patches, testing, releasing, and finally pushing the fixing code via updates takes time, so these flaws cannot be mitigated through the main channel immediately. And also, Bluetooth SIG is just one of the vendors affected by BLURtooth, with over a hundred vendors still not having clarified whether they are affected. Clearly, we’re still at a very early stage in the mitigation effort.

From the user’s perspective, the things you can do are to apply updates as soon as they are being made available, shut off your Bluetooth when you’re not actively using it, and avoid crowded places. That should be easy to do nowadays anyway.

UPDATE - Bluetooth SIG has sent us the following statement, which further clarifies some of the above, and also sheds more light on the applicability of BLURtooth:

The initial public statement from the Bluetooth SIG indicated the vulnerability could impact devices using Bluetooth Core Specification versions 4.0 through 5.0. However, that that has now been corrected to indicate just versions 4.2 and 5.0. In addition, the BLURtooth vulnerability does not impact all devices using these versions. To be potentially open to attack, a device must support both BR/EDR and LE simultaneously, support cross-transport key derivation, and leverage pairing and derived keys in a specific way. The fix for this issue is outlined in the Bluetooth Core Specification 5.1 and later, and the Bluetooth SIG has recommended to members with vulnerable product that they incorporate this change into older designs, where possible. The Bluetooth SIG works closely with the research community to identify and resolve potential vulnerabilities in advance of research announcements like today.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: