BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys


Level 40
Jan 9, 2020
The organizations behind the Bluetooth wireless technology has published guidance today on how device vendors can mitigate a new attack on Bluetooth capable devices.

Named BLURtooth, this is a vulnerability in a component of the Bluetooth standard named Cross-Transport Key Derivation (CTKD).

This component is used for negotiating and setting up authentication keys when pairing two Bluetooth-capable devices.

The component works by setting up two different sets of authentication keys for both the Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) standard.

CTKD's role is to have the keys ready and let the paired devices decide what version of the Bluetooth standard they want to use. It's primary use is for the Bluetooth "dual-mode" feature.

But according to security notices published today by the Bluetooth Special Interest Group (SIG) and the CERT Coordination Center at the Carnegie Mellon University (CERT/CC), an attacker can manipulate the CTKD component to overwrite other Bluetooth authentication keys on a device, and grant an attacker connecting via Bluetooth access to other Bluetooth-capable services/apps on the same device.

In some versions of the BLURtooth attack, the authentication keys can be overwritten completely, while in other authentication keys can be downgraded to use weak encryption.

All devices using the Bluetooth standard 4.0 through 5.0 are vulnerable. The Bluetooth 5.1 standard comes with features that can be activated and prevent BLURtooth attacks.

Bluetooth SIG officials say they started notifying vendors of Bluetooth devices about the BLURtooth attacks and how they could mitigate its effects when using the 5.1 standard.

Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering (tricking the human operator).

However, patches are expected to be available at one point. When they'll be, they'll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.

The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.

Users can keep track if their device has received a patch for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, the bug identifier of the BLURtooth vulnerability.

According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.


Level 7
Aug 2, 2020
Has nobody watched Person of Interest? lol
Bluetooth has been riddled with security issues for along time.

This is only the "new" attack we know about now.
How would anyone know how long this attack has exploited? Bluetooth 4.0 has been out since 2010.


Staff member
Malware Hunter
Jul 27, 2015
This sounds indeed very scary!
Can understand that, but many of these attacks are not done as easy snap with ones fingers. It's also normally recommended to try read up on these " threats " as with knowledge people gets less scared. Bluetooth attacks requires the feature to actually be turned ON to start with.

Bluetooth 5.1 is said to cover this specific attack. Great, but I don't even have to check my own now old P20 Pro to know it don't have Bluetooth 5.1. I know the latest Huawei P40, Pro and Pro+ has it. But down the road some other researcher will more then likely find a new hole/vulnerability even with 5.1 and newer. Personal I'm glad this issue got a assigned CVE number ( CVE-2020-15802 ) , as that is something we as consumer can keep an eye on and try trace and even ask the vendors when or if they will be implemented. Most vendors usually have an update page on their site so start check there first.