Security News > 2020 > September > BLURtooth Vulnerability Can Allow Bluetooth MITM Attacks
A security vulnerability in the Cross-Transport Key Derivation of devices supporting both Bluetooth BR/EDR and LE could allow an attacker to overwrite encryption keys, researchers have discovered.
The implementation of CTKD in older versions of the specification "May permit escalation of access between the two transports with non-authenticated encryption keys replacing authenticated keys or weaker encryption keys replacing stronger encryption keys," the Bluetooth Special Interest Group explains.
"If a device spoofing another device's identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur," the Bluetooth SIG reveals.
"Implementations should disallow overwrite of the LTK or LK for one transport with the LTK or LK derived from the other when this overwrite would result in either a reduction of the key strength of the original bonding or a reduction in the MITM protection of the original bonding. This may require that the host track the negotiated length and authentication status of the keys in the Bluetooth security database," CERT/CC explains.
The Bluetooth SIG also recommends performing additional conformance tests so as to make sure that overwriting an authenticated encryption key is not allowed on devices that feature support for Bluetooth Core Specification version 5.1 or newer.