New Unpatched Bluetooth Vulnerability Lets Hackers conquer encryption Easily

Security researchers from Bluetooth SIG disclosed a very serious threatening Bluetooth vulnerability with allow an attacker to bypass authenticating key or Pairing key giving them full control of the service.

{tocify} $title={Table of Contents}

This bug leaves millions of Bluetooth devices around the globe vulnerable.  The researcher also an identity that this flaw affects Bluetooth version 4.0 to 5.0. The flaw was recorded as CVE-2020-15802, the default allows attackers to overwrite the authenticating key, or by decreasing the key force enable them to communications to a targeted neighbouring computer.

Risk Of This Vulnerability 

The flaw may lead to a wide range of possible attacks, including man-in-the-middle attacks. A report detailing an attack scenario and the outcome of successful exploitation was also released by The Bluetooth Special Interest Group (SIG), the body that supervises the evolution of Bluetooth standards.

An attacker close to a vulnerable target device in Bluetooth could ruin a pair device's identity in order to overwrite the original key and access authenticated services.

"If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur” - Bluetooth SIG advisory"

Cause Of The Flaw

The researchers found Cross-Transport Key Derivative (CTKD) vulnerabilities in Bluetooth Specification 4.2 to 5.0 implementations that allow pairing and encryption. Furthermore, the researchers discovered that CTKD may allow several LE services to a remotely paired computer. 

To succeed in the attack, an attacking device must fit into a compromised Bluetooth device's wireless range. Bluetooth users must ensure that their computer and operating system producers install the latest recommended updates. 

The Bluetooth SIG also provides our Member companies with information and solutions on this flaw and invites everyone to quickly implement any required patches.

Previous Post Next Post

Found this article interesting? Follow Hackers Review on Facebook, Twitter  and Telegram to read more exclusive content we post.