Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Bluetooth Vulnerability Allows Attackers to Impersonate Previously Paired Devices

A vulnerability related to pairing in Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) connections could be exploited to impersonate a previously paired device, researchers have discovered.

A vulnerability related to pairing in Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) connections could be exploited to impersonate a previously paired device, researchers have discovered.

The security flaw allows for an attacker within Bluetooth range of an affected device to spoof the Bluetooth address of a previously bonded remote device, thus successfully authenticating without knowing the link key normally used for establishing an encrypted connection.

“It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS),” a CERT Coordination Center (CERT/CC) alert reads.

In a statement published on this vulnerability, the Bluetooth Special Interest Group (SIG) explains that the attacks allow hackers to “negotiate a reduced encryption key strength” if the device is still vulnerable to the KNOB (Key Negotiation of Bluetooth) attack disclosed last year.

The attacker could attempt to brute-force the encryption key and spoof the remote paired device. If the attack is not successful, the encrypted link is not established, but the attacker may still appear authenticated to the host.

For the attack to be successful, the attacker needs to know the Bluetooth address of the remote device to which the target was previously paired. Tracked as CVE-2020-10135, the vulnerability has a CVSS score of 4.8.

The vulnerability can be exploited in two manners, depending on the Secure Simple Pairing method (Legacy Secure Connections or Secure Connections) used to establish the previous connection with the remote device.

The first method allows the attacker to downgrade the authentication security and proceed with the BIAS method. If they can downgrade authentication or the device does not support Secure Connections, the attacker can initiate a master-slave role switch to become the authentication initiator.

“If successful, they complete the authentication with the remote device. If the remote device does not then mutually authenticate with the attacker in the master role, it will result in the authentication-complete notification on both devices, even though the attacker does not possess the link key,” the CERT/CC alert reads.

To mitigate the issue, vendors are advised to ensure that the encryption key length cannot be reduced below 7 octets and that hosts initiate mutual authentication or support Secure Connections Only mode when this is possible. Moreover, they should ensure that an encrypted link is required for the Bluetooth authentication to be used to independently signal a change in device trust.

“To remedy this vulnerability, the Bluetooth SIG is updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption,” Bluetooth SIG notes.

Related: New Bluetooth Vulnerability Allows Attackers to Intercept Traffic

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

Related: Google’s Titan Security Keys Vulnerable to Bluetooth Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.