Security News

A team of academic researchers have discovered a Bluetooth Low Energy vulnerability that allows spoofing attacks that could affect the way humans and machines carry out tasks. It potentially impacts billions of Internet of Things devices, researchers said, and remains unpatched in Android devices.

A "Hack-proof" smart padlock with security based on blockchain technology could be defeated by a simple Bluetooth replay attack - or a 1kg lump hammer. Its unique selling point is that the padlock can be locked and unlocked using an app that transmits over a Bluetooth Low Energy connection, rather than a physical key or combination lock.

Named BLURtooth, aka CVE-2020-15802, the flaw was present in the Bluetooth BR/EDR from specification version 4.2 to 5.0. The latest version of the Bluetooth spec is 5.2.

There are two types of Bluetooth protocols related to the attack - the older Bluetooth Classic and newer Bluetooth Low Energy. The process of CTKD is utilized when two dual-mode devices pair with each other - "Dual-mode" meaning that they support both BLE and BR/EDR. The process means the devices only need to pair over either BLE or BR/EDR to get the encryption keys - called Link Keys - for both transport types in one go.

Bluetooth SIG-an organization that oversees the development of Bluetooth standards-today issued a statement informing users and vendors of a newly reported unpatched vulnerability that potentially affects hundreds of millions of devices worldwide. Discovered independently by two separate teams of academic researchers, the flaw resides in the Cross-Transport Key Derivation of devices supporting both - Basic Rate/Enhanced Data Rate and Bluetooth Low Energy standard.

A security vulnerability in the Cross-Transport Key Derivation of devices supporting both Bluetooth BR/EDR and LE could allow an attacker to overwrite encryption keys, researchers have discovered. The implementation of CTKD in older versions of the specification "May permit escalation of access between the two transports with non-authenticated encryption keys replacing authenticated keys or weaker encryption keys replacing stronger encryption keys," the Bluetooth Special Interest Group explains.

As first reported by Ars Technica, Bridgefy was promoting itself earlier this year as the app of choice for protesters in Hong Kong and India to organise their activities without being easily spied upon by law enforcement agencies. The app uses both the internet and Bluetooth Low Energy for passing messages between users, falling back to the latter as a mesh network if wider internet connectivity is unavailable.

Offensive Security has released Kali Linux 2020.3, the latest iteration of the popular open source penetration testing platform. Kali NetHunter - Kali's mobile pentesting platform/app - has been augmented with Bluetooth Arsenal, which combines a set of Bluetooth tools in the app with pre-configured workflows and use cases.

Apptricity announced the launch of its new 20-Mile Ultra Long-Range Bluetooth beacon. This new Bluetooth, from the Apptricity Development Group, is the longest-ranging secure connection on the market, with the ability to transmit data up to 20 miles outdoors and penetrate up to 20 floors indoors.

Renesas Electronics Corporation announced sample shipment availability of the new RYZ012 Bluetooth module targeting ultra-low power IoT applications. The RYZ012 also includes a battery monitor to measure battery capacity and detect low power in battery-operated devices.