A security vulnerability in the devices supporting both Bluetooth BR / EDR and LE ‘s Cross-Transport Key Derivation (CTKD) could allow an attacker to overwrite encryption keys, researchers have found.
Dubbed BLURtooth, researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in Switzerland and Purdue University had defined the problem independently. The vulnerability is related to CTKD in implementations where the Bluetooth Standards 4.0 through 5.0 allow pairing and encryption for both Low Energy (LE) and Basic Rate / Enhanced Data Rate (BR / EDR)
Implementing CTKD in older versions of the specification “can allow access escalation between the two transports with non-authenticated encryption keys that replace authenticated keys or weaker encryption keys that replace stronger encryption keys,” explains the Bluetooth Special Interest Group (SIG).
The researchers also discovered that CTKD could allow “a remote paired system to access certain LE services if BR / EDR access is achieved or BR / EDR profiles if LE access is achieved.” However, this is considered common activity, and the SIG does not consider the cross-transport procedures to be security bugs.
According to the SIG, the BLURtooth attack requires that the attacker be within the wireless range of a vulnerable product which allows pairing on either BR / EDR or LE transport (with no authentication or user-controlled access restrictions).
“If a device spoofing the identity of another device becomes paired or bonded to a transport and CTKD is used to extract a key that then overwrites a pre-existing key of greater strength or that was generated using authentication, then access to authenticated services can occur,” reveals the Bluetooth SIG.
This can allow an adversary to launch a Man-In-The-Middle ( MITM) attack between paired and authenticated devices, given both are vulnerable.
The CERT Coordination Center (CERT / CC) revealed in a vulnerability note on Wednesday that the problem, which is tracked as CVE-2020-15802, may allow an attacker to access profiles or services that should otherwise be limited.
The SIG suggests limitations on CTKD that have been included in Bluetooth Core Specification 5.1 and later should be implemented in potentially insecure implementations too.
“Implementations should disallow overwriting of the LTK or LK for one transport with the LTK or LK derived from the other when such overwriting will result in either a reduction in the main strength of the original bonding or a reduction in the MITM security of the original bonding (from authenticated to unauthenticated). This may require the host to monitor the agreed duration and authentication status of the keys in the Bluetooth security database, “explains CERT / CC.
The Bluetooth SIG also recommends extra conformance testing to ensure that overwriting an authenticated encryption key is not enabled on devices that have support for version 5.1 or newer of the Bluetooth Core Specification. In addition, devices should limit when pairing, as well as the length of pairing mode.
