The organization behind the technology has talked about BLURtooth, which is a new vulnerability affecting devices. All devices using the Bluetooth standard 4.0 through 5.0 are vulnerable. The Bluetooth 5.1 standard comes with features that can be activated and prevent BLURtooth attacks. Named BLURtooth, this is a vulnerability in a component of the Bluetooth standard named Cross-Transport Key Derivation (CTKD).
This component is responsible for setting up authentication keys while pairing two devices. his way, attackers can not only push malicious data through Bluetooth to the targeted devices. They can also access the data made available through the transmission.So, who’s affected by this new vulnerability.
Overwrite Bluetooth authentication keys
- .Its primary use is for the Bluetooth "dual-mode" feature.
- An attacker can manipulate the CTKD component to overwrite other Bluetooth authentication keys on a device
- Grant an attacker connecting via Bluetooth access to other Bluetooth-capable services/apps on the same device
- Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired
The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.
How & What exactly do?
In some versions of the BLURtooth attack, the authentication keys can be overwritten completely, while in other authentication keys can be downgraded to use weak encryption. A new attack on Bluetooth capable devices. Patches not immediately available. Bluetooth SIG officials say they started notifying vendors of Bluetooth devices about the BLURtooth attacks and how they could mitigate its effects when using the 5.1 standards.
First-ever mobile hits the issue: OnePlus Nord
Many users have talked about issues with Bluetooth connectivity on the Nord. Apparently, the phone disconnects from the paired device without any warning. They also mentioned the device is picking unstable connection. They have mentioned that connection with wireless headphones or other phones barely lasts for a few minutes.
What special agencies had done?
According to security notices published today by the Bluetooth Special Interest Group (SIG) and the CERT Coordination Center at the Carnegie Mellon University (CERT/CC). Users can keep track if their device has received a patch for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, the bug identifier of the BLURtooth vulnerability. However, patches are expected to be available at one point. When they'll be, they'll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.
They can also overwrite the authentication keys to weaken the encryption between the devices. The concerning part is, manufacturers are yet to inform the users about this issue. And because of this, a patch to fix the issue is yet to be rolled out. We’re hoping that is done by the OEMs right away.