This is a vulnerability in a component of the Bluetooth standard called Cross-Transport Key Derivation (CTKD), which was named BLURtooth.
This item is used to set authentication keys when pairing two Bluetooth enabled devices.
The role of CTKD is to keep the keys connected Appliances decide which version of the Bluetooth standard they want to use. Its main use is the "dual function" Bluetooth.
But according to security alerts released today by Bluetooth Special Interest Group (SIG) and CERT Coordination Center at Carnegie Mellon University (CERT / CC), an attacker could manipulate CTKD to replace Bluetooth authentication keys on a device and access other Bluetooth-enabled services / applications on the same device device.
In some versions of the BLURtooth attack, authentication keys can be completely replaced, while other authentication keys can be downgraded for use with weak encryption.
All devices that use the standard Bluetooth 4.0 to 5.0 are vulnerable. Bluetooth 5.1 has features that can be enabled to prevent BLURtooth attacks.
There are currently no security updates to fix this vulnerability. The only way to protect against BLURtooth attacks is to control the environment in which the Bluetooth devices are connected to prevent attacks.
However, they are expected to be available soon. Then they will most likely be incorporated as updates firmware or operating system for Bluetooth enabled devices. According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.