A new Bluetooth security vulnerability has been discovered by the organization behind the Bluetooth wireless technology. All devices using Bluetooth versions 4.2 to 5.0 are affected by this vulnerability. A feature in Bluetooth version 5.1 can be used to ensure that this device is not vulnerable to the discovered vulnerability.
Bluetooth security vulnerability in key negotiation
As with many encrypted connections, the communication partners must first agree on a security concept and exchange the necessary keys or certificates. An example of how this agreement can be reached is described in our blog series on SSL/TLS encryption, where a similar procedure is required as for Bluetooth communication.
The component responsible for negotiating and setting up authentication keys in Bluetooth devices is called BLURtooth. The exact task of BLURtooth is to keep the keys ready and let the paired devices decide which version of the Bluetooth standard should be used.
The Bluetooth Special Interest Group (SIG) together with the CERT Coordination Center has published security advices that describe how an attacker can exploit a Bluetooth security vulnerability in BLURtooth. It is possible for an attacker to overwrite the Bluetooth authentication keys on a device. This allows the attacker to gain access to other Bluetooth enabled applications on the same device.
With some Bluetooth versions, the keys can be completely overwritten, while others can be downgraded to weak encryption. In both cases, the attacker has the ability to connect to multiple Bluetooth enabled applications and exploit the vulnerability.
Patches are not yet ready
At this time there is no patch available to fix the security hole. The only way to protect yourself without a patch, currently is to check which Bluetooth devices are pairing. Especially in public places, where many people are in “Bluetooth proximity”, a regular check of the paired devices should take place.
It is currently not known when the first patch will be released. The SIG and CERT have, according to own statements, drawn the attention of many manufacturers of Bluetooth-capable devices to this security hole and have given special instructions on how the configuration should look like for Bluetooth version 5.1 so that the damage can be mitigated.
Until patches for all devices will be available is unclear, since different manufacturers of hardware and software pursue different schedules. How high the priority of this Bluetooth vulnerability is in the respective company, can be very different, therefore it is possible that the patches in the form of an update will come at different times.