Bluetooth encryption bug called BlurTooth

September 19, 2020
bluetooth vulnerability encryption exploit blurtooth

An Independent researcher has recently submitted their concluded report about the vulnerability they have unraveled for the current version of the Bluetooth version. The noted version of the application was in ranges of 4.0 to 5.0, in which most modern smart devices have come in the package. The Bluetooth Special Interest Group (SIG) – the group that oversees Bluetooth standardization, dubbed this infraction as ‘BlurTooth.’

The weakness was found within the Cross-Transport Key Derivation (CTKD) protocol wherein the released version supports the Classic and Low Energy data transmission. This type of transmission is used to specifically conserve energy and seclude a more secure connection. The pairing can be tarred by any threat actor within the range of the paired devices. When an adversary injects a higher level of security on the pairing, the encryption key can be overwritten by them and accessed to the information on both paired devices such as profiles, photos, contacts, and other data as long as it is non-restricted. Furthermore, devices that have been paired before or have low to non-authentication pairing needed are also susceptible to this attack. Moreover, this intrusion is also available on a real-time scenario known as Man-in-the-middle (MITM), assuming the conditions were met.

According to the Bluetooth SIG, they do not see this as vulnerability about the application as there are still conditions to be met, especially the proximity factor. However, they have already contacted different device manufacturers that use the platform to check whether they are affected by the issue and considered upgrading to the latest version of the app, which is the version of 5.1 and higher that ensure restrictions to the CTKD are enforced. In addition to the update, this will ensure that attacker cannot overwrite the encrypted key generated on previously paired devices. This will restrict entering either a new key generated by the adversaries to gain access to the pairing. It is also advisable that a previously paired device determine automatic pairing mode when not in use.


As the governing body for the Bluetooth industry, they have released on their website lists of affected devices and the update needed.


While other manufacturers are soon to submit the result of their investigation to confirm if they were affected by this report. In compliance and aid to the welfare of the members of the industry.

Lastly, they also advised all users to ensure that the latest updates and patches are always installed. This will be their first line of security against any known intrusion and malicious activity unraveled within the cybercommunity.

About the author

Leave a Reply