Serious vulnerability discovered in Bluetooth but a remedy is missing: minimal risk on iOS

By Brian Adam
A team of researchers from the École Polytechnique Fédérale de Lausanne (EPFL) has discovered a Bluetooth vulnerability, in particular the standard component called Cross-Transport Key Derivation (CTKD) used to set authentication keys and negotiate them when pairing two devices via Bluetooth.

Called BLURtooth, this vulnerability allows an attacker to connect to any device involved in a Bluetooth connection and access compatible applications and / or services by bypassing the steps that secure data transfer. Compromising the authentication keys of any product it uses Bluetooth version 4.0 to 5.0, the attacker can actually undermine the proper functioning of target devices.

This is the official communication of the Bluetooth Special Interest Group: “For this attack to be successful, an attacking device would need to be within the wireless range of a vulnerable Bluetooth device that supports both BR / EDR and LE transports that supports CTKD between transports and allows pairing on BR / EDR or LE with neither authentication (for example JustWorks) or no access restrictions that can be controlled by the user on the availability of pairing. If a device that falsifies the identity of another device is associated or connected to a transport and CTKD is used to derive a key that then overwrites a pre-existing key of greater security or that was created using authentication, access to authenticated services may occur. This can allow a Man In The Middle (MITM) attack between devices previously connected by authenticated association when these devices are both vulnerable. “

There is currently no corrective patch, but remember that if you have Bluetooth 5.1 in your smartphone you are safe: the new version is in fact able to mitigate BLURtooth attacks. In any case, Bluetooth SIG is contacting resellers and alerting users via its official channels to give little tips on how to protect devices from attack. Updates to fix the flaw will be distributed, when available, through updates for smartphone operating systems, laptops and firmware of IoT products.

They have also recently been discovered other flaws on smartphones: one of these is BadPower, which acts on the firmware of the chargers to set the phones on fire, or there is Cerberus, a banking trojan downloaded about 10,000 times through the Play Store.

