bluetooth vulnerabilities 2

7 Bluetooth Vulnerabilities Allow Hackers To Mimic Genuine Devices

Reading Time: 2 minutes

Last Updated on June 12, 2021 by Calvin C.

Shocking news reveal that 7 Bluetooth vulnerabilities were identified by a French government agency and these allow hackers to mimic legitimate devices.

These flaws affect the Bluetooth Core and Mesh Profile specifications to appear as genuine devices during the pairing process, giving hackers room to launch a man-in-the-middle attack.

Both specifications are responsible for defining policy and technical requirements of devices that connect using Bluetooth.

In other words, these requirements allow Bluetooth devices to communicate with each other successfully.

Now with this Bluetooth Impersonation Attack, a hacker is able to bypass the authentication process and establish a secure connection with the other device.

bluetooth vulnerabilities

The Bluetooth Special Interest Group (BSIG) oversees the development of Bluetooth standards and issued recommendations for each of the flaws.

Details of vulnerabilities and links to recommendations

You can find more information about these security flaws on BSIG website.

The vulnerabilities are summarized in the following table:

VulnerabilityDetailsSpecifications AffectedCVE [NVD]
Bluetooth Mesh Profile AuthValue leakSIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26559
Malleable commitment in Bluetooth Mesh Profile provisioningSIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26556
Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITMSIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26557
Impersonation attack in Bluetooth Mesh Profile provisioningSIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26560
Impersonation in the BR/EDR pin-pairing protocolSIG Security NoticeCore Spec, v1.0B to 5.2CVE-2020-26555
Authentication of the Bluetooth LE legacy-pairing protocolSIG Security NoticeCore Spec, v4.0 to 5.2N/A
Impersonation in the Passkey entry protocolSIG Security NoticeCore Spec, v2.1 to 5.2CVE-2020-26558

Bluetooth SIG highlighted that users have to make sure that they have installed the latest updates from device and operating system manufacturers.

According to Carnegie Mellon CERT Coordination Centre (CERT/CC), the following vendors were affected:

  • Android Open Source Project (AOSP)
  • Intel
  • Cisco
  • Red Hat
  • Microchip Technology
  • Cradlepoint

These vendors are working towards patching the vulnerabilities in upcoming updates.

AOSP confirmed that it is working on fixing the flaws, highlighting that one of the vulnerability has negligible impact on security.

“Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin,” AOSP told CERT/CC.


Although the flaws have been addressed, this situation shows how fast cybercriminals capitalize on any leaks in the security of your devices.

Once they connect to a victim’s device they access all the information on the device and even leave malware that further compromises security and privacy.

It is important to keep your devices up-to-date all the time and actively watch out for any potential threats.

One way to safeguard your privacy and security is by using a reliable VPN.

A VPN creates a VPN tunnel that hides your identity, masks your IP address and changes your geo-location so that cybercriminals are kept in the dark.

  • We recommend NordVPN because it has the overall best security features
  • Hides your IP address
  • Strong encryption
  • Antimalware
  • Adblock
  • 68% off a 2-year plan
  • 30-day money-back guarantee

Leave comments below and share the article with your friends. Support VPNAnchor so that we continue to provide cybersecurity updates.

Tech writer and VPN expert. DIY enthusiast and loves anything to do with space science.

Leave a Reply

Your email address will not be published. Required fields are marked *