Pierluigi Paganini September 10, 2020

Bluetooth 4.0 through 5.0 versions are affected by the vulnerability dubbed BLURtooth which allows hackers to defeat Bluetooth encryption.

A vulnerability dubbed BLURtooth affects certain implementations of Bluetooth 4.0 through 5.0 affects “dual-mode” Bluetooth devices, like modern smartphones. The vulnerability could be exploited by attackers to overwrite or lower the strength of the pairing key, defeating the protocol encryption.

The vulnerability, tracked as CVE-2020-15802, was discovered independently by boffins from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University, it resides in the Cross-Transport Key Derivation (CTKD) component of the Bluetooth standard.

The component is used for negotiating and setting up authentication keys when pairing two devices via Bluetooth.

The Cross-Transport Key Derivation (CTKD) sets up two different sets of authentication keys for both the Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) standard.

This means that the paired devices can decide the version of the Bluetooth standard to use and choose the related set of authentication keys.

“Devices supporting both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation (CTKD) for pairing are vulnerable to key overwrite, which enables an attacker to to gain additional access to profiles or services that are not restricted by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key. This vulnerability is being referred to as BLURtooth.” reads the advisory published by the Carnegie Mellon CERT Coordination Center.

An attacker can exploit the issue to manipulate the CTKD component to overwrite other Bluetooth authentication keys on a device achieving a connection via Bluetooth to other Bluetooth-capable services/apps on the same device.

Experts pointed out that in some cases the BLURtooth flaw could be exploited to completely overwrite the authentication keys, while in other circumstance the authentication keys can be downgraded to use weak encryption.

“For example, it may be possible to pair with certain devices using JustWorks pairing over BR/EDR or LE and overwriting an existing LTK or LK on the other transport.” continues the advisory. “When this results in the reduction of encryption key strength or the overwrite of an authenticated key with an unauthenticated key, an attacker could gain additional access to profiles or services that are not otherwise restricted.”

The Bluetooth Special Interest Group (SIG) also published a security notice providing details about the vulnerabilities and the attack scenarios.

“The researches identified that CTKD, when implemented to older versions of the specification, may permit escalation of access between the two transports with non-authenticated encryption keys replacing authenticated keys or weaker encryption keys replacing stronger encryption keys.” reads the SIG’s notice.

An attacker within the wireless range of a vulnerable Bluetooth device could spoof the identity of a paired device to overwrite the original key and access authenticated services.

Experts explained that BLURtooth opens the doors to man-in-the-middle (MitM) attacks during the pairing process.

“If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur.” continues the advisory. “This may permit a Man In The Middle (MITM) attack between devices previously bonded using authenticated pairing when those peer devices are both vulnerable.”

The SIG recommends the introduction of restrictions on Cross-Transport Key Derivation for the Bluetooth Core Specification versions 5.1 and later.

“The Bluetooth SIG further recommends that devices restrict when they are pairable on either transport to times when user interaction places the device into a pairable mode or when the device has no bonds or existing connections to a paired device. In all cases, it is recommended that devices restrict the duration of pairing mode and overwrite an existing bonding only when devices are explicitly in pairing mode.” concludes the SIG.

CERT CC also published a list of vendors with implementations vulnerable to BLURtooth attack.

Pierluigi Paganini

(SecurityAffairs – hacking, BLURtooth)

[adrotate banner=”5″]

[adrotate banner=”13″]