A new vulnerability was found by an organisation which can affect a lot of devices worldwide. An official statement was issued by the organisation of Bluetooth SIG. This organisation helps in the development of the Bluetooth standard. In the statement, it informed the people about a new unpatched vulnerability. The flaw was discovered by two teams of academic researchers. The researchers found the flaw in Cross-Transport Key Derivation (CTKD) of devices supporting both — Basic Rate/Enhanced Data Rate (BR/EDR) and Bluetooth Low Energy (BLE) standard.
Cross-Transport Key Derivation (CTKD) is responsible for adjusting the authenticate keys when the two devices are pairing with Bluetooth together. It is a Bluetooth component. The flaw which was addressed by the researchers was only with the devices which have Bluetooth 4.0 or 5.0 technology. The vulnerability will allow the attackers to connect to a nearby device without any authorisation. They will be able to do so by overwriting the authenticated keys. They can also reduce the strength of the encryption key. As per the words of the researchers, “Dual-mode devices using CTKD to generate a Long Term Keys (LTK)or Link Key (LK) are able to overwrite the original LTK or LK in cases where that transport was enforcing a higher level of security,”
As per the reports, this flaw can lead to a lot of damage. An advisory was also published by Carnegie Mellon CERT Coordination Center on the same issue where it was clearly stated that the vulnerability can be the reason for many potential attacks. The hacker can definitely access the confidential information very quickly due to the unauthorised pairing. Bluetooth SIG is currently working towards releasing the patches for the vulnerability. They have also introduced restrictions on Bluetooth 5.1 version. Some advisory has also been launched by the researchers to save the users from the hack.