CVE-2020-15802 Overview
CVE-2020-15802, publicly known as BLURtooth, affects devices implementing Bluetooth Core Specification versions 4.2 and 5.0. The flaw resides in Cross-Transport Key Derivation (CTKD), the mechanism that allows pairing keys generated on one transport (Bluetooth Low Energy or BR/EDR) to be reused on the other. An unauthenticated attacker within radio range can abuse CTKD to overwrite an existing authenticated bonding key with an unauthenticated one, or replace a high-entropy key with one of lower entropy. The resulting trust relationship enables man-in-the-middle (MITM) attacks against paired devices. This issue is tracked under [CWE-287] Improper Authentication.
Critical Impact
Successful exploitation allows an attacker to impersonate a previously bonded device and intercept or manipulate Bluetooth communications between authenticated peers.
Affected Products
- Bluetooth Core Specification v4.2
- Bluetooth Core Specification v5.0
- Devices supporting Bluetooth prior to version 5.1 that implement Cross-Transport Key Derivation
Discovery Timeline
- 2020-09-11 - CVE-2020-15802 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-15802
Vulnerability Analysis
Dual-mode Bluetooth devices support both Bluetooth Low Energy (LE) and Basic Rate/Enhanced Data Rate (BR/EDR) transports. Cross-Transport Key Derivation lets a device pair once on one transport and derive a Long Term Key (LTK) or Link Key for the other transport without re-pairing. The Bluetooth Core Specification v4.2 and v5.0 did not require the derived key to meet or exceed the security properties of the existing key on the opposite transport. An attacker can therefore initiate a new pairing on the unprotected transport and force the device to overwrite a strong, authenticated key with a weaker one.
Once the trusted key is degraded, the attacker can authenticate to the victim as the previously bonded peer and act as a relay between the two legitimate endpoints. The attack carries an elevated complexity rating because the adversary must be within Bluetooth radio range and time the unauthorized pairing against a vulnerable device state.
Root Cause
The defect is a specification-level authentication weakness. CTKD logic in v4.2 and v5.0 lacked policy constraints preventing key overwrite when the new key offered weaker authentication, lower entropy, or no MITM protection. Bluetooth SIG addressed this in v5.1 errata by mandating that derived keys must not replace stronger existing keys.
Attack Vector
Exploitation requires proximity to the target and the ability to initiate Bluetooth pairing. The attacker pairs with the victim on a transport where bonding is unauthenticated, triggers CTKD, and silently overwrites the authenticated key on the opposite transport. No user interaction or prior privileges on the target are required. Refer to the Bluetooth SIG BLURtooth advisory and CERT/CC VU#589825 for protocol-level details.
Detection Methods for CVE-2020-15802
Indicators of Compromise
- Unexpected re-pairing prompts or bonding requests from previously trusted devices.
- Bluetooth host controller logs showing CTKD-initiated key replacement on an already-bonded transport.
- Unknown Bluetooth peers within range during periods of unusual connectivity behavior.
Detection Strategies
- Audit Bluetooth bonding databases on managed endpoints for changes in key type, authentication flag, or entropy after pairing events.
- Correlate HCI (Host Controller Interface) traces with Bluetooth pairing telemetry to surface unauthenticated CTKD derivations.
- Monitor for repeated pairing failures followed by a successful low-security pairing, which often precedes BLURtooth exploitation.
Monitoring Recommendations
- Enable verbose Bluetooth stack logging on high-value mobile and IoT assets and forward logs to a centralized SIEM.
- Alert on Bluetooth state transitions that downgrade authentication level, MITM protection, or key length on an existing bond.
- Track wireless proximity events near sensitive environments using Bluetooth-aware sensors or wireless intrusion detection systems.
How to Mitigate CVE-2020-15802
Immediate Actions Required
- Apply vendor firmware updates that implement Bluetooth Core Specification v5.1 CTKD restrictions on every dual-mode device.
- Disable Bluetooth on devices that cannot be patched, especially in environments handling sensitive data.
- Remove stale or untrusted bonding entries from endpoints and require re-pairing under controlled conditions.
Patch Information
The Bluetooth Special Interest Group resolved the issue through errata to the Bluetooth Core Specification that require CTKD to reject key derivations that would weaken an existing bond. Device manufacturers must ship firmware and Bluetooth stack updates incorporating these errata. Consult the Bluetooth SIG security notice and individual vendor advisories to confirm patch availability for specific chipsets and platforms.
Workarounds
- Keep Bluetooth disabled when not actively in use, particularly on devices in public or untrusted environments.
- Restrict pairing to known devices using allowlists and avoid pairing in crowded RF environments.
- Prefer Bluetooth Secure Connections with MITM protection and reject pairings that downgrade an existing bond.
# Example: disable Bluetooth on a Linux endpoint until firmware is updated
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth
sudo rfkill block bluetooth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
