Security News > 2021 > May > New Bluetooth Vulnerabilities Could Expose Many Devices to Impersonation Attacks

Researchers working for a French government agency have identified seven new Bluetooth vulnerabilities that could expose many devices to impersonation and other types of attacks.

The flaws, discovered by researchers at France's national cybersecurity agency ANSSI, affect devices that support the Bluetooth Core and Mesh specifications, which define technical and policy requirements for devices operating over Bluetooth connections.

Malicious actors who are within Bluetooth range can exploit the weaknesses to impersonate legitimate devices, according to an advisory published on Monday by the CERT Coordination Center at Carnegie Mellon University.

Advisories for each flaw have also been published by the Bluetooth Special Interest Group, the organization that oversees the development of Bluetooth standards.

In the case of CVE-2020-26555, the Bluetooth SIG explained, "The attacker must be able to identify the of the vulnerable device before it can launch the attack, generally requiring the device to be discoverable. If successful, the attacker will be able to complete pairing with a known link key, encrypt communications with the vulnerable device, and access any profiles permitted by a paired or bonded remote device supporting Legacy Pairing."

As for CVE-2020-26558, the organization explained that an attacker in range of two devices initiating Bluetooth pairing could authenticate one of the victim devices to their own device, but the attack does not allow for successful pairing between the devices, which prevents a fully transparent MitM attack.

News URL

http://feedproxy.google.com/~r/securityweek/~3/AErWbbc4eS4/new-bluetooth-vulnerabilities-could-expose-many-devices-impersonation-attacks