CVE-2020-26555 Overview
CVE-2020-26555 is an authorization bypass vulnerability affecting the Bluetooth legacy BR/EDR (Basic Rate/Enhanced Data Rate) PIN code pairing mechanism in Bluetooth Core Specification versions 1.0B through 5.2. This vulnerability enables an unauthenticated attacker within Bluetooth range to spoof the BD_ADDR (Bluetooth Device Address) of a peer device and complete the pairing process without knowledge of the required PIN code.
The flaw exists in how the legacy Bluetooth pairing protocol handles device authentication, allowing attackers to impersonate legitimate devices during the pairing handshake. This represents a fundamental weakness in the Bluetooth specification itself rather than a specific implementation flaw, meaning all devices supporting legacy BR/EDR pairing are potentially affected.
Critical Impact
An attacker within adjacent network proximity can spoof Bluetooth device addresses to bypass PIN authentication and pair with victim devices, potentially enabling unauthorized access, data interception, or device compromise.
Affected Products
- Bluetooth Core Specification versions 1.0B through 5.2
- Intel AX210, AX201, AX200 Wireless Adapters and Firmware
- Intel AC 9560, AC 9462, AC 9461, AC 9260, AC 8265, AC 8260 Adapters and Firmware
- Intel AC 3168, AC 7265, AC 3165 Adapters and Firmware
- Intel Killer Wi-Fi 6E AX1675, Killer Wi-Fi 6 AX1650, Killer AC 1550 Adapters and Firmware
- Fedora 34
Discovery Timeline
- May 24, 2021 - CVE-2020-26555 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2020-26555
Vulnerability Analysis
This vulnerability stems from improper authorization (CWE-863) in the Bluetooth legacy BR/EDR PIN code pairing protocol. The attack requires the adversary to be within adjacent network (Bluetooth) range of the target device, but does not require user interaction or prior privileges to execute.
The vulnerability allows an attacker to complete the pairing process without possessing the legitimate PIN code by exploiting the protocol's failure to adequately verify the authenticity of the peer device's BD_ADDR during the pairing handshake. This enables device impersonation attacks that can lead to unauthorized device pairing, partial confidentiality compromise, and integrity violations on the affected Bluetooth connection.
The impact is limited to partial confidentiality and integrity compromise rather than complete system takeover, as the attacker gains access through an improperly authenticated Bluetooth pairing rather than direct system access.
Root Cause
The root cause lies in the Bluetooth Core Specification's legacy BR/EDR PIN code pairing mechanism, which does not adequately authenticate the BD_ADDR presented by devices during the pairing process. The protocol assumes the device presenting a BD_ADDR is the legitimate owner of that address, without cryptographic verification of this claim. This allows an attacker to observe or guess a target device's BD_ADDR and then impersonate that device during pairing negotiations with another device.
Attack Vector
The attack requires adjacent network proximity (Bluetooth range), which typically extends 10-100 meters depending on the device class and environment. An attacker would:
- Identify a target Bluetooth device and capture its BD_ADDR through Bluetooth scanning
- Wait for or trigger a pairing attempt between the target device and another device
- Spoof the BD_ADDR of the target device and engage in the pairing protocol
- Complete the pairing without knowledge of the PIN by exploiting the verification weakness
The vulnerability does not require user interaction on the victim devices, making it particularly concerning for devices that accept pairing requests automatically or without strong user confirmation mechanisms.
The technical details of this vulnerability involve protocol-level weaknesses in the Bluetooth specification. For comprehensive technical analysis, refer to the CERT Vulnerability Advisory #799380 and the Intel Security Advisory SA-00520.
Detection Methods for CVE-2020-26555
Indicators of Compromise
- Unexpected or unauthorized Bluetooth device pairings appearing in device pairing lists
- Multiple pairing attempts from devices with identical or similar BD_ADDR values
- Bluetooth pairing events occurring without user-initiated pairing requests
- Anomalous Bluetooth traffic patterns indicating spoofed device addresses
Detection Strategies
- Monitor Bluetooth pairing logs for unexpected device connections or repeated failed pairing attempts
- Implement endpoint detection rules that alert on new Bluetooth device pairings, especially on sensitive systems
- Use network and device monitoring solutions to track Bluetooth device inventories and flag unauthorized additions
- Review system logs for Bluetooth service events that indicate pairing without proper user authorization
Monitoring Recommendations
- Enable verbose Bluetooth logging on critical systems to capture pairing events and device connection details
- Implement centralized logging for Bluetooth-enabled enterprise devices to correlate suspicious pairing activities
- Deploy SentinelOne endpoint protection with behavioral analysis to detect anomalous device pairing patterns
- Conduct periodic audits of paired Bluetooth devices across enterprise endpoints
How to Mitigate CVE-2020-26555
Immediate Actions Required
- Disable legacy BR/EDR PIN code pairing and enforce Secure Simple Pairing (SSP) or LE Secure Connections where supported
- Disable Bluetooth on devices where it is not required for business operations
- Implement strict Bluetooth visibility policies to limit device discoverability
- Review and remove any unauthorized or unknown paired Bluetooth devices from all systems
Patch Information
Vendors have released firmware updates to address this vulnerability. Intel has issued Security Advisory SA-00520 with guidance for affected Intel wireless adapters. Fedora has released a package update addressing the vulnerability. Check with your Bluetooth device manufacturers for specific firmware updates.
For the core specification issue, the Bluetooth SIG has published guidance through their Security Reporting portal.
Workarounds
- Configure devices to require Secure Simple Pairing (SSP) instead of legacy PIN-based pairing
- Set Bluetooth devices to non-discoverable mode when not actively pairing
- Require user confirmation for all Bluetooth pairing attempts
- Implement physical security controls to limit attacker proximity to sensitive Bluetooth-enabled devices
- Consider using Bluetooth Low Energy (BLE) with LE Secure Connections for newer deployments
# Example: Disable legacy pairing on Linux systems (BlueZ)
# Edit /etc/bluetooth/main.conf
[General]
# Disable legacy pairing
ClassicBondedOnly = true
# Require Secure Simple Pairing
SecureConnections = true
# Disable automatic pairing
AutoEnable = false
# Restart Bluetooth service
sudo systemctl restart bluetooth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
