Overview
Devices supporting both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation (CTKD) for pairing are vulnerable to key overwrite, which enables an attacker to to gain additional access to profiles or services that are not restricted by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key. This vulnerability is being referred to as BLURtooth.
Description
As detailed in both the Bluetooth Core Specification versions 4.2 and 5.0, Bluetooth CTKD can be used for pairing by devices that support both Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) transport methods, which are known as "dual-mode" devices. CTKD pairing allows the devices to pair once using either transport method while generating both the BR/EDR and LE Long Term Keys (LTK) without needing to pair a second time. Dual-mode devices using CTKD to generate a LTK or Link Key (LK) are able to overwrite the original LTK or LK in cases where that transport was enforcing a higher level of security.
Impact
Several potential attacks could be performed by exploiting CVE-2020-15802, including a Man in the Middle (MITM) attack. The vulnerability is being referred to as BLURtooth and the group of attacks is being referred to as the BLUR attacks. Vulnerable devices must permit a pairing or bonding to proceed transparently with no authentication, or a weak key strength, on at least one of the BR/EDR or LE transports in order ..
Support the originator by clicking the read the rest link below.
