Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University have uncovered a Bluetooth security flaw that could allow an attacker to connect to a user device without authentication.
In a statement, the Bluetooth Special Interest Group said that “dual-mode” devices running Bluetooth 4.0 or 5.0 contain a vulnerability related to the the Cross-Transport Key Derivation standard.
This could enable escalation of access as attackers can replace Bluetooth keys with non-authenticated encryption keys or weaker encryption keys.
The group said that an attacking device would need to be within wireless range of a vulnerable Bluetooth device either without authentication or no user-controlled access restrictions. Attackers may also be able to spoof other devices to access authenticated services.
This vulnerability, which is being referred to as “BLURtooth”, could lead to man-in-the-middle attacks, in which an attacker intercepts communications between two devices.
As a result, the group recommends that “potentially vulnerable implementations introduce the restrictions on Cross-Transport Key Derivation mandated in Bluetooth Core Specification versions 5.1 and later”.
Bluetooth vulnerability raises concerns
In August last year, researchers uncovered a Bluetooth vulnerability that, according to Tech Radar, made it easier for attackers to carry out brute force attacks against the encryption keys used by certain Bluetooth devices. The vulnerability was thought to affect millions of smartphones and other devices.
Jake Moore, cybersecurity specialist at ESET explained that Bluetooth vulnerabilities can leave users’ data open to attackers.
“Bluetooth risks are rare but when they work, they can be extremely impactful,” he said.
“Such attacks can easily transfer files such as malware onto the target’s device, but they can also have the reverse effect and pilfer data onto the criminal’s machine in order to potentially extort the data owners.”
He advises users to be mindful of their Bluetooth connections.
“With current social distancing guidelines in place, it makes this attack all that more difficult to pull off. However, this would likely happen on public transport so it is worth reminding people who keep their Bluetooth on all the time on the train to be mindful of accepting files and vigilant of this attack. It is also worth flushing out any old Bluetooth connections that may still allow a connection from devices you do not connect to anymore.”