Last Updated on June 12, 2021 by Calvin C.
Shocking news reveal that 7 Bluetooth vulnerabilities were identified by a French government agency and these allow hackers to mimic legitimate devices.
These flaws affect the Bluetooth Core and Mesh Profile specifications to appear as genuine devices during the pairing process, giving hackers room to launch a man-in-the-middle attack.
Both specifications are responsible for defining policy and technical requirements of devices that connect using Bluetooth.
In other words, these requirements allow Bluetooth devices to communicate with each other successfully.
Now with this Bluetooth Impersonation Attack, a hacker is able to bypass the authentication process and establish a secure connection with the other device.
The Bluetooth Special Interest Group (BSIG) oversees the development of Bluetooth standards and issued recommendations for each of the flaws.
Details of vulnerabilities and links to recommendations
You can find more information about these security flaws on BSIG website.
The vulnerabilities are summarized in the following table:
|Vulnerability||Details||Specifications Affected||CVE [NVD]|
|Bluetooth Mesh Profile AuthValue leak||SIG Security Notice||Mesh Profile Spec, v1.0 to v1.0.1||CVE-2020-26559|
|Malleable commitment in Bluetooth Mesh Profile provisioning||SIG Security Notice||Mesh Profile Spec, v1.0 to v1.0.1||CVE-2020-26556|
|Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITM||SIG Security Notice||Mesh Profile Spec, v1.0 to v1.0.1||CVE-2020-26557|
|Impersonation attack in Bluetooth Mesh Profile provisioning||SIG Security Notice||Mesh Profile Spec, v1.0 to v1.0.1||CVE-2020-26560|
|Impersonation in the BR/EDR pin-pairing protocol||SIG Security Notice||Core Spec, v1.0B to 5.2||CVE-2020-26555|
|Authentication of the Bluetooth LE legacy-pairing protocol||SIG Security Notice||Core Spec, v4.0 to 5.2||N/A|
|Impersonation in the Passkey entry protocol||SIG Security Notice||Core Spec, v2.1 to 5.2||CVE-2020-26558|
Bluetooth SIG highlighted that users have to make sure that they have installed the latest updates from device and operating system manufacturers.
According to Carnegie Mellon CERT Coordination Centre (CERT/CC), the following vendors were affected:
- Android Open Source Project (AOSP)
- Red Hat
- Microchip Technology
These vendors are working towards patching the vulnerabilities in upcoming updates.
AOSP confirmed that it is working on fixing the flaws, highlighting that one of the vulnerability has negligible impact on security.
“Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin,” AOSP told CERT/CC.
Although the flaws have been addressed, this situation shows how fast cybercriminals capitalize on any leaks in the security of your devices.
Once they connect to a victim’s device they access all the information on the device and even leave malware that further compromises security and privacy.
It is important to keep your devices up-to-date all the time and actively watch out for any potential threats.
One way to safeguard your privacy and security is by using a reliable VPN.
A VPN creates a VPN tunnel that hides your identity, masks your IP address and changes your geo-location so that cybercriminals are kept in the dark.
- We recommend NordVPN because it has the overall best security features
- Hides your IP address
- Strong encryption
- 68% off a 2-year plan
- 30-day money-back guarantee
Leave comments below and share the article with your friends. Support VPNAnchor so that we continue to provide cybersecurity updates.