A French security research group called EURECOM has found a significant vulnerability in the security between two devices connected via Bluetooth.
According to Android Authority, content posted about exploiting this vulnerability shows a relatively simple method to brute force Bluetooth encryption keys between two devices. If successful, the attacker can impersonate the device and access sensitive data.
This exploit appears to work at least partially on any device using Bluetooth 4.2 or later. It is known that Bluetooth 4.2 support was deployed in late 2014, which means this attack could theoretically work on most modern Bluetooth devices.
EURECOM has divided attacks into 6 different styles, with the word BLUFFS used to abbreviate all of them. As part of the report, EURECOM presented a table of the devices they were able to spoof using these attacks and how successful each of the six types was.
The Bluetooth Special Interest Group (SIG) – the non-profit body that oversees the development of the standard – has acknowledged EURECOM’s findings. In its security bulletin, the agency recommended that manufacturers implementing Bluetooth technology in products follow strict security protocols to prevent this attack from working. However, they did not mention whether upcoming versions of the connection will patch the vulnerability discovered by EURECOM. It is known that the most recent Bluetooth standard is v5.4, released in February 2023.