New Bluetooth Vulnerability

There’s a new unpatched Bluetooth vulnerability:

The issue is with a protocol called Cross-Transport Key Derivation (or CTKD, for short). When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKD’s role is to set up two separate authentication keys for that phone: one for a “Bluetooth Low Energy” device, and one for a device using what’s known as the “Basic Rate/Enhanced Data Rate” standard. Different devices require different amounts of data—and battery power—from a phone. Being able to toggle between the standards needed for Bluetooth devices that take a ton of data (like a Chromecast), and those that require a bit less (like a smartwatch) is more efficient. Incidentally, it might also be less secure.

According to the researchers, if a phone supports both of those standards but doesn’t require some sort of authentication or permission on the user’s end, a hackery sort who’s within Bluetooth range can use its CTKD connection to derive its own competing key. With that connection, according to the researchers, this sort of erzatz authentication can also allow bad actors to weaken the encryption that these keys use in the first place—which can open its owner up to more attacks further down the road, or perform “man in the middle” style attacks that snoop on unprotected data being sent by the phone’s apps and services.

Another article:

Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering (tricking the human operator).

However, patches are expected to be available at one point. When they’ll be, they’ll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.

The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.

Many Bluetooth devices can’t be patched.

Final note: this seems to be another example of simultaneous discovery:

According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.

Posted on September 17, 2020 at 6:18 AM9 Comments


Dorin September 17, 2020 6:28 AM

This seems a little bit complicated for an attacker to pursue, especially on an unknown/random target. Maybe that’s why vendors don’t see it as a high priority fix…

TimH September 17, 2020 9:12 AM

@Dorin: Complicated doesn’t matter: it only has be designed once. It’s the cost and complexity of reproduction that matters… and software is essentially free to replicate

Clive Robinson September 17, 2020 11:27 AM

@ Ismar,

Justin time to take advantage of all the COVID-19 tracings apps…

Which might also account for @Bruces,

Final note: this seems to be another example of simultaneous discovery:

That is now would be a good time for various publishing reasons to be taking a long hard look at BlueTooth, which let’s be honest has never realy been that secure anyway even before it got overloaded by the world and it’s dog. Which is why the more cautious have it disabled all the time and won’t be enabling it for COVID-Apps.

In fact the way things are going I would not be surprised if there was an uptick in people buying older design phones that lack BlueTooth and the like… oh and others not doing Google updates to avoid their nonsence as well.

As for Apple Fanbois, you never can tell with them what they will do, probably rush around so they can be on everyones contact list, just to feel included…

Clive Robinson September 17, 2020 11:43 AM

@ Dorin,

Maybe that’s why vendors don’t see it as a high priority fix…

Hmm let me put my “dual pointy” managers hat on for a moment…

Well first of I’m going to shout at you that famous line,

Don’t bring me problems bring me solutions.

As that’s the first line of defence in not making a decision (remember Rule of Managment No1, the way to survive in managment is “Never be in the same room as a decision”).

But then I will consider what I want the programers to do, after all they are a whiney bunch anyway…

Hmm that’s not dificult after all the choice is,

“New Features -v- Old Bugs”

So as “New Features” is what “Marketing want” and they have the most pull in the C-corridor, that’s the way to go. So I tell you,

Marketing has a big push on at the moment, so they want you to do these new features ASAP if not three weeks earlier

But if you argue, I’ve got an inescapable argument of “Who cares about old bugs, if they did we would have heard about them when they were new bugs”…

Now any questions before I take the pointy hat off?

Who? September 18, 2020 5:57 AM

Seriously, who needs bluetooth? It is an expensive ⸺from the point of view of security⸺ commodity. Plagued with lots of zero days and protocol design errors; it is useless when compared to 802.11 for long distances or multiple devices, and much worse than real data transmission cables for short ones.

This technology was designed to solve a non-existing problem, connecting devices at short distances, but created a huge amount of vulnerabilities. Most of these vulnerabilities remain unfixed as a consequence of lack of care from device manufacturers.

With relation to unfixed vulnerabilities… it is time to force hardware manufacturers to support their products for at least ten years, perhaps even twenty. How many hardware vulnerabilities remain open in products like Intel ME as a consequence of inaction from manufacturers?

No, replacing hardware is not the option. Manufacturers should maintain their buggy products or provide ways to limit the impact of unfixed vulnerabilities. Intel, for example, should either provide fixes for its four years old ⸺and now unmaintained⸺ Intel ME versions or provide a patch to permanently disable it.

Manufacturers should be liable for their lack of care.

Ismar September 18, 2020 5:22 PM


“ This technology was designed to solve a non-existing problem, connecting devices at short distances, but created a huge amount of vulnerabilities.”

You hit the nail on the head here – Solutionism as Evgeny Morozov argues is cause of many an issue in our modern societies.

Jesse Thompson September 20, 2020 6:49 PM

@Who? & @Ismar

This technology was designed to solve a non-existing problem, connecting devices at short distances

Alright, so just to be clear: are you suggesting that devices a short distance away from one another ought remain unconditionally disconnected from one another?

That might be bad news for monitor and keyboard, as those connect PC to brain at a close distance.. 🤔

Clive Robinson September 21, 2020 6:03 AM

@ Jesse Thompson,

Alright, so just to be clear:…

Out of context questions can be such fun…

Part of the context is that BlueTooth came along quite some time after other base data communications methods. Which were already doing the base data comms at the same frequencies and could work effectively from a volume of a 5metre diameter upto a 300metre diameter which was the effective limit placed on the frequency band by international and national device licencing requirments.

The context of BlueTooth has allways been questionable as it was to be for “reliable and secure about person wireless communications” that is volumes of 2metre diameter. But… As one assumed object –the human body– absorbs the frequency in use quite effectively achieving head to toe coverage, would need powers to compensate for the absorption so would have a free space range not very different to the 5-300m diameter of WiFi.

The argument went further that because BlueTooth would use different modulation methods it could “co-exist” with other ISM band users, which is not actually true (at best it would still lift the noise floor at the receicver thus significantly diminishing it’s distant signal performance).

And so on.

That is someone was trying very hard to create a faux marketplace…

Wikipedia will no doubt furnish the names of the organisations that benifited from the “created market”. The current nonsense from the US executive over 5G is very much for the same reasons. It’s a “one ring to rule them all” game with pattent licencing being forced into standards being the desired power/prize.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.