Blurstar – CVE-2020-15802
According to the press statement made by the company from Bluetooth, regarding the exploitation of Bluetooth devices through Cross-Transport Key Derivation, this was discovered by independently by Purdue University and Researchers at École Polytechnique Fédérale de Lausanne EPFL. The CTKD is used in implementations supporting pairing and encryption with Bluetooth BR/EDR ( Basic Rate/ Enhanced Data Rate) and LE in Bluetooth 4.2 to 5.0. When the CTKD is implemented in older version, escalation can occur between the two transports with non-authenticated keys replacing authenticated keys. Stronger keys get replaced by weak keys, allowing a remoted paired device to access some LE services if BR/EDR access is achieved or BR/EDR profiles if LE access is achieved. This part SIG says is not the vulnerability, but an intended feature which allowed users to only pair once to dual mode devices.
For a successful attack, attacker must be in Bluetooth range of a victim with a vulnerable Bluetooth device supporting both BR/EDR and LE transports that support CKTD between the transports and permits pairing on either transport with no authentication or no user-controlled access restriction. When a spoofed device becomes paired or bonded, and CTKD is used to derive a key and overwrites a pre-existing key of greater strength created using authentication, access to authenticated services may occur, permitting MITM attacks between devices previously bonded using authenticated pairing.
The Bluetooth SIG recommends implementing restrictions on CTKD that are in the Core Specifications of version 5.51 and later. “The SIG also recommends that devices restrict when they are pairable on either transport to times when user interaction places the device into a pairable mode”. For end users, they must wait for a patch when companies make one for their devices. Older and more legacy devices may never get patched or will take longer than newer devices.
Sources: