Researchers at EPFL and Purdue University have identified serious vulnerabilities in the Bluetooth protocol, reports the Bluetooth Special Interest Group (SIG). A flaw in the Cross-Transport Key Derivation (CTKD) component, useful in the configuration of authentication keys when pairing two Bluetooth devices, allows an attacker to overwrite other authentication keys and gain access to other services and applications related to Bluetooth.
Called BLURtooth, the flaw affects “dual mode” pairing for all devices using versions from 4.2 to 5.0 and compatible with both Bluetooth Classic (BR / EDR) and Low Energy (BLE) standards. The number of devices concerned is difficult to estimate but we are probably talking about several billion. The Bluetooth 5.0 version was only gradually replaced from January 2019. According to figures from the Bluetooth SIG, more than 2 billion devices compatible with the Classic and LE standards were sold in 2018 alone.
Regarding the BLURtooth flaw, the Bluetooth SIG recommends that manufacturers quickly deliver patches or update their devices with the Bluetooth versions not affected by the flaw.