The bluetooth technology has a fair share of it die-hard stans over the years despite some prettier ones gnarled beetles that opens devices to a bevy of bad actors. Now the organization has published behind the technology of the same name an explanation on the latest threat to those of us with bluetooth enabled devices – and there’s no patch in sight.
BLURtooth, as the topic was called, was made aware of the company by researchers from The Bluetooth Special Interest Group, and Approved from another group from Carnegie Mellon. According to the researchers, the protocols that both Android and iOS follow when connecting to another Bluetooth device – such as a pair of speakers – can effectively be hijacked to allow an attacker access to a Bluetooth app or service on the phone .
The problem lies with a protocol called Cross-Transport Key Derivation (CTKD for short). For example, when an iPhone is preparing to pair with a Bluetooth device, CTKD’s job is to set up two separate devices Authentication key for this phone: one for a “Bluetooth Low Energy” device and one for a device that uses the so-called “Basic Rate / Enhanced Data Rate” standard. Different devices require different amounts of data – and battery power – from a phone. It’s more efficient to switch between the standards required for Bluetooth devices that take in a lot of data (like a Chromecast) and those that require a little less (like a smartwatch). Incidentally, it may also be less secure.
According to the researchers, a hackery variety is when a phone supports both standards but doesn’t require user authentication or permission Bluetooth range can use its CTKD connection to derive its own competing key. With this connection, the researchers say, this type of replacement authentication can also enable bad actors to weaken the encryption that these keys are using in the first place – which can open their owner for further attacks in the future or carry out attacks in the “man” middle style eavesdropping on unprotected data sent by the phone’s apps and services.
So far there are no examples of BLUR-based exploits in the wild. But just to be on the safe side, the Bluetooth Special Interest Team According to reports began advising device manufacturers of the threat posed by these type of attacks, saying that those concerned about a potentially vulnerable connection should use the handy CTKD restrictions that come with Bluetooth 5.1. As far as Bluetooth 4.0 and 5.0 devices are concerned, they are only stuck in this massive security gap for the time being. For people who work with it light According to the Bluetooth company statement, the only way to protect yourself is to keep an eye on the environment in which you connect your devices, as any deceitful actor would have to be around to perform these types of gadgets.
There are others small steps You can take if you’re nervous about bluetooth snooping, but it doesn’t include a patch at the moment. And since none of these players have a published patch timeline, we really are left to the whims of those Bluetooth-based device manufacturers and operating system operators to do the right thing quickly.