CVE-2020-15802

Name of the Vulnerable Software and Affected Versions Bluetooth versions 4.0 through 5.0

Description The issue concerns a man-in-the-middle attack, also known as BLURtooth, which affects devices supporting Bluetooth before version 5.1. This attack exploits the Cross Transport Key Derivation in Bluetooth Core Specification versions 4.2 and 5.0, allowing an unauthenticated user to establish a bonding with one transport and replace a bonding already established on the opposing transport. This could potentially overwrite an authenticated key with an unauthenticated key or a key with greater entropy with one with less. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For Bluetooth versions 4.0 through 5.0, as a temporary workaround, consider restricting Bluetooth connections to trusted devices only and avoid using Bluetooth in the presence of untrusted devices until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.