Bluetooth technology has amassed its fair share of diehard stans over the years, despite some pretty gnarly bugs that open devices up to a bevy of bad actors. Now, the organisation behind the namesake technology has put out a statement about the latest threat facing those of us with Bluetooth-enabled devices — and there’s no patch in sight.
BLURtooth, as the issue’s been named, was brought to the company’s attention by researchers from The Bluetooth Special Interest Group, and confirmed by another group out of Carnegie Mellon. According to the researchers, the protocols that both Android and iOS follow when linking up to another Bluetooth-powered device — like, say, a pair of speakers — can be effectively hijacked to give an attacker access to any bluetooth-powered app or service on the phone.
The issue is with a protocol called Cross-Transport Key Derivation (or CTKD, for short). When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKD’s role is to set up two separate authentication keys for that phone: one for a “Bluetooth Low Energy” device, and one for a device using what’s known as the “Basic Rate/Enhanced Data Rate” standard. Different devices require different amounts of data — and battery power — from a phone. Being able to toggle between the standards needed for Bluetooth devices that take a ton of data (like a Chromecast), and those that require a bit less (like a smartwatch) is more efficient. Incidentally, it might also be less secure.
According to the researchers, if a phone supports both of those standards but doesn’t require some sort of authentication or permission on the user’s end, a hackery sort who’s within Bluetooth range can use its CTKD connection to derive its own competing key. With that connection, according to the researchers, this sort of erzatz authentication can also allow bad actors to weaken the encryption that these keys use in the first place — which can open its owner up to more attacks further down the road, or perform “man in the middle” style attacks that snoop on unprotected data being sent by the phone’s apps and services.
Thus far, we don’t have any examples of BLUR-based exploits happening in the wild. But just to be safe, the Bluetooth Special Interest team reportedly began notifying device vendors about the threat of these sorts of attacks, saying that those that are worried about a potentially vulnerable connection should use the handy CTKD restrictions that come with Bluetooth’s 5.1. As for Bluetooth 4.0 and 5.0 devices, well… they’re just stuck with this massive security loophole for now. For folks working with that mildly outdated tech, Bluetooth’s corporate statement says that the only way to protect yourself is to keep an eye on the environment where you’re pairing your devices together, since any rogue actor would need to be somewhat nearby in order to carry these sorts of shenanigans out.
There are other small steps you can take if you’re nervous about any Bluetooth snooping, but right now, a patch isn’t one of them. And with no publicised patching timeline from any of these players, we’re really being left at the whims of these Bluetooth-powered device vendors and OS operators to do the right thing, and quickly.