BLURtooth Flaw Targets Bluetooth Technology to Create Attack Methods

A new Bluetooth vulnerability called BLURtooth could allow attackers to access devices by exploiting a flaw in CTKD technology.

Security researchers have discovered a vulnerability in technology which could allow a bad actor to hack communications on a nearby device.

Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University call the Bluetooth bug “BLURtooth”. According to the team, the flaw (CVE-2020-15802) is high-severity and is found in the pairing technology for Bluetooth 4.0 and 5.0.

Specifically, a problem in the Cross-Transport Key Derivation (CTKD) could give an attacker within wireless range access to communications on a victim device. This would include spying on communications and altering the link between devices.

“Devices… using [CTKD] for pairing are vulnerable to key overwrite, which enables an attacker to gain additional access to profiles or services that are not restricted, by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key,” according to a security advisory by the Carnegie Mellon CERT Coordination Center.


CTKD is used when two dual-mode devices pair. Dual mode means they support both Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate, (BR/EDR). BLE is the latest iteration of the tech, whereas BR/EDR is the classic version. Dual-mode devices can run both these protocols.

When dual-mode devices link, they generate encryption keys known as Link Keys. However, the vulnerability in CTKD means the potency of the Link Key is compromised. Attackers could leverage this flaw, exploit it, and pair their own dual-boot device to a victim device without needing authentication.

While it is deemed a severe risk flaw, the nature of Bluetooth tech means an attacker would need to act under specific circumstance. Specifically, they would need to be in wireless range. However, it's worth noting the range of Bluetooth 5.0 capabilities is 800 feet.

“If a device spoofing another device's identity becomes paired or bonded on a transport, and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur,” according to a security advisory on Wednesday by the Bluetooth Special Interest Group (SIG), the group that oversees the technology. “This may permit a man-in-the-middle (MITM) attack between devices previously bonded using authenticated pairing when those peer devices are both vulnerable.”