A vulnerability exists in certain implementations of Bluetooth 4.0 to 5.0. This vulnerability allows an attacker to overwrite or decrease the strength of the pairing key, giving them access to authenticated services.
The vulnerability was discovered independently by two teams of academic researchers and has been called BLURtooth. This affects "dual mode" Bliuetooth devices, such as modern smartphones.
Bluetooth Classic and LE Devices Affected
An attacker can exploit BLURtooth on devices that support Bluetooth Classic and low Energy (LE) data transport methods. That is, those that user Cross Transport Key Derivation (CTKD) to pair with each other.
The first mode, necessary in applications that requires higher performance at a constant speed (for example, headphones). This is technically known as Basic Rate / Enhanced Data Rate (BR / EDR).
Bluetooth LE requires less data and is suitable for applications where information is needed over short distances. For example, in the case of smaller sensors, wich also save energy.
A security advisory from the CarnTKD to pair Bluetooth devices in dual mode. The procedure occurs only in one of the two data transport methods.
In the process, longt-term keys / link keys (LTK/LK) are generated and can be overwritten. Applies to cases where transport imposes a higher level of security, which is what a BLURtooth attack takes advantage of.
Risk of a MiTM attack
The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has already acted. The group published a notice describing an attack scenario and the result of a successful exploitation.
An attacker in Bluetooth proximity to a vulnerable target device could impersonate a paired device. This to overwrite the original key and ccess authenticated services.
"If a device that forges the identify of another device is paired or linked and they use CTKD to derive a key, there is the threat. The device can overwrite a pre-existing key services can occur".
BLURtooth is also suitable for Man in the Middle (MiTM) type attacks. For example, an attacker can be located between two vulnerable devices that have been linked by authenticated pairing.
The vulnerability was discovered and independently reported by researches at Purdue University and the École Polytechnique Fédérale de Lausanne (EPFL).
The Bluetooth SIG solution for vendors with potentially vulnerable deployments is to introduce the restrictions. Restrictions on the derivation of cross transport key that are required in versions 5.1 and later of the Bluetooth Core Specification.
A list of vendors with vulnerable implementations affected by BLURtooth available in the advisory are only shown with status "affected". Others are shown as "unknown". The list will change as it is confirmed whether or not third-party implementations will be affected.
Post a Comment
Comments here, cracks!