A new vulnerability within Bluetooth has been discovered by security researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University. The flaw could potentially allow attackers to perform malicious man in the middle attacks, obtaining access to private services and sensitive information. The bug lies in the Cross-Transport Key Derivation (CTKD). The vulnerability has been named BLURtooth, identified as CVE-2020-15802.
Researchers have detailed several attack scenarios in which the vulnerability is leveraged, finding that it is possible for threat actors to lower the strength of the Link Key encryption keys used to pair devices via Bluetooth. Vulnerable devices would then be authorized to proceed in the pairing process with no authentification and weak key strength.
Read More: Bluetooth Bug Could Allow MITM Attacks