Yet Another Security Flaw Discovered in Bluetooth Technology

In the past, security experts have reported many security threats plaguing Bluetooth technology. In a recent discovery, a new vulnerability was identified that could allow an attacker to take complete control of a Bluetooth-enabled device.

What's the new discovery?

A new attack method called BLURtooth can overwrite the authentication keys to grant unauthorized access.
  • The BLURtooth vulnerability affects the component named Cross-Transport Key Derivation (CTKD) in the devices using the Bluetooth standard 4.0 through 5.0.
  • Using this vulnerability, an attacker can manipulate the CTKD component of any device and then, either completely overwrite authentication keys or downgrade them to use weak encryption.
  • Doing so allows access to Bluetooth-capable services on the targeted device.

Other recent threats with Bluetooth

  • In July 2020, a group of researchers discovered a vulnerability, dubbed Bluetooth Reconnection Flaw, stemming from two critical design weaknesses in Bluetooth Low Energy (BLE), the most widely used low-energy communication protocol. The first issue was optional authentication during the device reconnection and the second was to avoid the authentication process.
  • In May 2020, academics from Germany and Italy came across a new attack class called Spectra, which is focused on a combo of WiFi and Bluetooth chips. It exploits flaws in the interfaces between wireless cores, where one core can be used for denial of service (DoS), information disclosure, while the other one for code execution.
  • In May 2020, academic researchers discovered security flaws dubbed Bluetooth Impersonation Attacks (BIAS) in Bluetooth Classic to spoof paired devices. An attacker can insert a rogue device into an established Bluetooth pairing presenting itself as a trusted endpoint.

Security tips

One should always avoid communicating sensitive information like passwords via Bluetooth. Enable “discoverable” mode only when it is needed while pairing with devices. Turn off Bluetooth while not using it to avoid any possible cyberattack. At last, always update Bluetooth-enabled devices to patch any exploitable flaw.