BLURtooth Security Vulnerability Allows Hackers To Slice Through Bluetooth Encryption

These days just about everybody takes Bluetooth for granted. Manufacturers phase out useful physical ports like headset jacks in high end devices with the expectation that buyers will use Bluetooth headphones. Our cars, watches, locator tags, home theaters, and even game controllers rely on the ubiquitous short-range wireless network protocol. And if Bluetooth's built-in encryption was ever broken, we could be in for a world of hurt. Unfortunately, it appears attackers can do just that with a newly-discovered security vulnerability announced by the Bluetooth Special Interest Group (SIG), known as BLURtooth. 

The Bluetooth SIG and Carnegie Mellon University's CERT Coordination Center describe BLURtooth as a key-insertion attack. An attacker within physical range (usually 10 to 30 feet) of a vulnerable Bluetooth accessory can potentially overwrite a key used for devices that re-connect to Bluetooth hosts, posing a man-in-the-middle attack risk. That means it's not likely that someone across the world would be able to exploit this vulnerability, but it's a bit unsettling that attackers don't have to physically touch the device to launch an attack..

Pairing a device to a host (like using Bluetooth headphones with a smartphone) results in the accessory storing a Long-Term Key, which re-connects to the host when the accessory is turned on. The Bluetooth Core 5.1 specification imposes restrictions that older specs didn't include, which makes this process more secure and as a result, BLURtooth won't work with those devices. These restrictions include much stronger keys as well as not overwriting authenticated keys with anything that has not yet been authenticated as part of the pairing process. Just about any device that re-connects automatically or advertises Bluetooth JustWorks features uses this style of pairing. 


It seems the list of vulnerable accessories is pretty long. CERT says any Bluetooth device using the Basic Rate/Enhanced Data Rate (BR/EDR) and Low Energy (LE) protocols, which also rely on Cross-Transport Key Derivation (CTKD) to pair to Bluetooth hosts is susceptible to BLURtooth. Only certain revisions of the spec support this without also requiring Bluetooth Core 5.1's restrictions. Any device that fits that description and uses Bluetooth 4.2 through 5.0 is open to the BLURtooth vulnerability. It should be noted that this doesn't necessarily mean every device using the older protocols is open, if manufacturers have already guarded against an unauthorized key overwrite. 

Unfortunately, end user mitigation is not possible, beyond just not using those now-insecure devices any longer or a firmware update from the manufacturer. The only solution proposed by both the Bluetooth Special Interest Group (SIG) and CERT is that manufacturers ensure testing devices against this style of attack. Bluetooth SIG has shared details about its proposed software updates with members, including device makers, but it's up to manufacturers to patch their hardware. Devices that advertise Bluetooth 5.1 compatibility should already be protected against BLURtooth, so we'd recommend looking for the latest spec, when shopping for new accessories.