Update: The Bluetooth SIG on Friday issued a statement (below) saying that the vulnerability is less severe than originally believed.  

A newly disclosed vulnerability in the ubiquitous Bluetooth wireless standard could enable hackers to connect to devices remotely in a given area and access users’ applications.

The vulnerability, dubbed Blurtooth, was detailed on Wednesday by the Bluetooth SIG industry body that oversees development of the standard. There are currently no patches available.

Bluetooth is found in billions of devices worldwide ranging from smartphones to “internet of things” gadgets. In the consumer technology world, it’s commonly used to power short-range connections for tasks such as pairing wireless earbuds with a handset. But Bluetooth also supports longer-range data transfer over distances of as much as several hundred feet, a range that hackers could potentially exploit using Blurtooth to launch attacks.

The vulnerability harnesses a weakness in the way Bluetooth verifies the security of connections. Normally, a user must manually approve a connection request before their device is linked to another system, but Blurtooth makes it possible to circumvent this defense. A hacker can configure a malicious system to impersonate a Bluetooth device that the user had already approved, such as their wireless earbuds, and gain access to the Bluetooth-enabled apps on the user’s machine.

Blurtooth attacks rely on a built-in Bluetooth security feature known as CTKD. Normally, this feature is used to help encrypt connections. But a hacker could exploit it to hijack the authentication key of a previously approved device, which is what makes it possible to impersonate legitimate endpoints, and thereby circumvent the need for the user to approve inbound connections. 

The limited wireless range of Bluetooth reduces the threat posed by the vulnerability. The two editions of the technology affected, Low Energy and Basic Rate, only support connections over distances of up to 300 or so feet. But the widespread support for those two Bluetooth editions in consumer devices means that a large number of endpoints could potentially be vulnerable. 

The Bluetooth SIG industry body stated that all devices using Bluetooth versions 4.0 through 5.0 are affected. The newest 5.2 version, which isn’t yet widely adopted, apparently isn’t vulnerable, while the 5.1 release has certain built-in features that device makers can turn on to block Blurtooth attacks.

In a security notice, Bluetooth SIG said it’s “broadly communicating” details of the vulnerability with device makers to speed up the industry response. The group is “encouraging them to rapidly integrate any necessary patches.” It’s not yet clear when patches will become available or which devices will need them.

The Blurtooth vulnerability was discovered by researchers from Switzerland’s EPFL École Polytechnique Fédérale de Lausanne and Purdue University. 

The Bluetooth SIG published the following statement Friday:

We’d like to provide a few clarifications regarding the BLURtooth vulnerability.  The initial public statement from the Bluetooth SIG indicated the vulnerability could impact devices using Bluetooth Core Specification versions 4.0 through 5.0.  However, that that has now been corrected to indicate just versions 4.2 and 5.0.  In addition,  the BLURtooth vulnerability does not impact all devices using these versions. To be potentially open to attack, a device must support both BR/EDR and LE simultaneously, support cross-transport key derivation, and leverage pairing and derived keys in a specific way. The fix for this issue is outlined in the Bluetooth Core Specification 5.1 and later, and the Bluetooth SIG has recommended to members with vulnerable product that they incorporate this change into older designs, where possible. The Bluetooth SIG works closely with the research community to identify and resolve potential vulnerabilities in advance of research announcements like today.

Photo: Unsplash