020 7193 4905

BLURtooth – it’s not a misprint

Everyday devices may provide a gateway for attackers

Bluetooth has moved from being a somewhat esoteric feature on higher-end devices to being an everyday standard for many different gadgets: mice and keyboards, earphones, fitness trackers, speakers, printers, peer-to-peer data transfer for cameras, phones, etc., creating what is technically known as a wireless personal area network.

Intended as a wireless substitute for a cable to connect devices, it suffers from the potential problem that afflicts all such wireless communications – it is easy to eavesdrop on it. Accordingly, as one might expect, Bluetooth uses encryption to keep data in its right place.

Confusingly, there are two versions of Bluetooth. Confusing, that is, for engineers, since the user of Bluetooth devices never has to make the distinction,. Bluetooth Low Energy (BLE) has a shorter range, and therefore uses less battery power. “Classic Bluetooth” uses another set of alphabet soup, BR/EDR (Basic Rate/Enhanced Data Rate).

Many devices are compatible with both standards, and when setting up a connection between devices, generate two sets of authentication keys using a protocol known as Cross-Transport Key Derivation (CTKD).

However, it has been discovered that devices which use this CTKD protocol and are BLE and BR/EDR compatible are vulnerable to a form of attack that can weaken the encryption between devices by substituting an unverified key for the real verified key or reducing the key strength.

When this has been achieved, the attacker can then act as the “man in the middle”, reading messages passed between devices before passing them on. In the case of a keyboard, that could provide a keylogger system, recording all keystrokes, including login details and passwords. At worst, an attacker could hijack a more sophisticated device, such as a phone or tablet, and read the data stored on it, while the user of the device believes that they are only playing music through wireless headphones. This vulnerability has been christened ‘BLURtooth’, and in theory, an attacker could work his or her evil way on devices at up to 250 metres (800 feet) range for Bluetooth 5 devices, and approximately half that for Bluetooth 4.

This is not the only vulnerability which has been discovered in Bluetooth over the years. John Douglas, Technical Director of First Response, comments, “Previous versions of Bluetooth could lay the data on some devices wide open to being compromised. Such vulnerabilities have now been patched.”

However, exploits leveraging the BLURtooth vulnerability have yet to be reported “in the wild”, but it may be only a matter of time before this is exploited by bad actors, before Bluetooth standards are patched to stop up this hole.

It is also a timely reminder that even supposedly innocent and ‘safe’ technology that we take for granted every day may be vulnerable to attack. Feel free to make an appointment with one of our Security Associates at First Response to discuss any security issues that you feel may affect your business or enterprise.

Talk to one of our specialists today – Call 020 7193 4905