The Bluetooth SIG consortium has just published a security alert for “dual-mode” devices which simultaneously support the Bluetooth Low Energy (BLE) and Bluetooth Basic Rate / Enhanced Data Rate (BBR / BEDR) standards. A flaw dubbed “BLURtooth” in the pairing procedure would allow a hacker to insert himself between two such devices and intercept their unencrypted exchanges.
The bug is in an algorithm called Cross-Transport Key Derivation (CTKD). This allows, from a single calculation, to generate the encryption keys for both types of modes (LE and BBR / BEDR) at the same time. Suppose two Bluetooth devices are already in communication by one of the modes and the other mode does not require authentication.
In this case, the hacker could impersonate the devices and perform a double pairing in the other mode. The CTKD algorithm will generate new keys and, most importantly, replace the one that was used until now. Result: the hacker will be able to create a “man in the middle” type attack and access all exchanges.
Such attacks are not possible with Bluetooth 5.1 and higher, as these versions do not allow overwriting of an encryption key in such a case. Versions 4.2 to 5.0, on the other hand, are vulnerable. Manufacturers are encouraged to incorporate the necessary protections themselves to prevent this type of attack.