CVE-2020-15802: Bluetooth Core Auth Bypass Vulnerability

CVE-2020-15802 Overview

CVE-2020-15802, commonly known as BLURtooth, is a man-in-the-middle vulnerability affecting devices supporting Bluetooth before version 5.1. The flaw exists in the Cross Transport Key Derivation (CTKD) mechanism in Bluetooth Core Specification v4.2 and v5.0, which may permit an unauthenticated user to establish a bonding with one transport (either LE or BR/EDR) and replace a bonding already established on the opposing transport. This can potentially result in overwriting an authenticated key with an unauthenticated key, or replacing a key with greater entropy with one having less entropy.

Critical Impact

An unauthenticated attacker within Bluetooth range can exploit CTKD to overwrite authenticated encryption keys, enabling man-in-the-middle attacks on paired devices and potentially compromising the integrity of Bluetooth communications.

Affected Products

• Bluetooth Core Specification v4.2
• Bluetooth Core Specification v5.0
• Devices supporting Bluetooth before 5.1

Discovery Timeline

• 2020-09-11 - CVE-2020-15802 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-15802

Vulnerability Analysis

The BLURtooth vulnerability (CVE-2020-15802) stems from a fundamental design weakness in the Cross Transport Key Derivation (CTKD) component of the Bluetooth specification. CTKD was introduced to allow devices to generate both Bluetooth Low Energy (LE) and Basic Rate/Enhanced Data Rate (BR/EDR) link keys from a single pairing process, simplifying the user experience when connecting dual-mode devices.

The vulnerability exploits the trust relationship between the two transport types. When a device pairs using CTKD, it derives keys for both transports from a single pairing event. An attacker can abuse this mechanism by initiating a new pairing with weaker security requirements on one transport, which then overwrites the existing stronger key on the other transport. This authentication bypass (CWE-287) allows the attacker to downgrade the security of an already-established connection.

Root Cause

The root cause is improper authentication in the Cross Transport Key Derivation mechanism. The Bluetooth Core Specification v4.2 and v5.0 did not adequately enforce security level checks when deriving keys across transports. Specifically, the specification allowed keys generated through unauthenticated pairing on one transport to overwrite authenticated keys on the opposing transport without proper validation of the security properties of the existing bond.

Attack Vector

The attack requires the adversary to be within Bluetooth radio range of the target device. The attacker must identify a vulnerable device that supports both BR/EDR and LE transports and has previously established a secure bond. The attacker then initiates a new pairing session using the transport with weaker security requirements, exploiting CTKD to derive and overwrite the existing keys on both transports.

The exploitation involves spoofing the identity of a previously paired device and initiating a pairing procedure that bypasses the stronger authentication mechanisms of the existing bond. Once successful, the attacker can intercept and potentially modify communications between the victim device and its legitimately paired counterpart.

Detection Methods for CVE-2020-15802

Indicators of Compromise

• Unexpected Bluetooth re-pairing requests from previously paired devices
• Bluetooth connection anomalies or authentication failures with known paired devices
• Unusual Bluetooth traffic patterns indicating potential man-in-the-middle activity
• Device logs showing bond overwrites or key regeneration events without user initiation

Detection Strategies

• Monitor system logs for unexpected Bluetooth pairing events or bond changes
• Implement Bluetooth traffic analysis to detect anomalous pairing behavior
• Deploy endpoint detection solutions that can identify unauthorized Bluetooth bonding attempts
• Review device pairing history for evidence of key overwrites or security downgrades

Monitoring Recommendations

• Enable verbose Bluetooth logging on critical devices to capture pairing events
• Implement network segmentation and restrict Bluetooth connectivity in high-security environments
• Utilize SentinelOne's endpoint protection to monitor for suspicious Bluetooth-related activity
• Regularly audit Bluetooth-enabled devices for firmware and driver updates

How to Mitigate CVE-2020-15802

Immediate Actions Required

• Update Bluetooth-enabled devices to versions supporting Bluetooth 5.1 or later where CTKD restrictions are enforced
• Apply vendor-specific firmware and driver updates that address the BLURtooth vulnerability
• Disable Bluetooth functionality on devices where it is not essential
• Restrict Bluetooth pairing to trusted environments only and remove unused pairings

Patch Information

The Bluetooth SIG has addressed this vulnerability in Bluetooth Core Specification 5.1 and later versions, which include restrictions on CTKD to prevent key overwriting attacks. Device manufacturers have been advised to implement these restrictions in their firmware updates. Organizations should consult the Bluetooth Security Advisory on BLURtooth for detailed guidance and verify with device vendors regarding patch availability. Additional technical details are available in CERT Vulnerability Notice #589825.

Workarounds

• Disable CTKD functionality if supported by the device configuration
• Limit Bluetooth discoverability and disable automatic pairing features
• Physically secure Bluetooth-enabled devices to reduce exposure to nearby attackers
• Consider disabling dual-mode Bluetooth operation where single-transport operation is sufficient

# Example: Disable Bluetooth discoverability on Linux systems
# Check current Bluetooth status
hciconfig hci0

# Disable discoverability (piscan disabled, only iscan allowed)
hciconfig hci0 noscan

# Alternatively, disable Bluetooth entirely when not in use
systemctl stop bluetooth
systemctl disable bluetooth