Millions of devices vulnerable to BLURtooth info leak bug

Industry Bluetooth Special Interest Group suggests mitigations.

United States cyber security authorities and the Bluetooth SIG have issued alerts for a vulnerability that permits man-in-the-middle attacks by unauthorised users, potentially affecting hundreds of millions of devices with the wireless data transport protocol.

Named BLURtooth, researchers at École Polytechnique Fédérale de Lausanne in France and Purdue University in the United States discovered that they could overwrite or weaken strong encryption keys used for pairing Bluetooth devices securely.

Carnegie Mellon University's computer emergency response team (CERT) said the vulnerability  in the Cross-Transport Key Derivation (CTKD) could give attackers access to profiles and services offered by vulnerable Bluetooth devices.

The vulnerability stems from an implementation flaw in Bluetooth Classic and Low Energy (BLE) specifications 4.2 to 5.0 

Apart from devices needing to be in wireless reach of each other, they have to support the dual-mode Basic Rate/Enhanced Data Rate (BR/EDR) and BLE methods, for authenticating with CTKD.

Recognising the BLURtooth vulnerability, the Bluetooth SIG recommends that venderos implement restrictions on CTKD that were introduced in the Core Specification for the wireless protocol from version 5.1 onwards.

The interest group is also talking to members companies to encourage them to rapidly develop and distrubute patches for BLURtooth.