Bluetooth vulnerability puts billions of devices at risk

According to Android Authority , the exploit post shows a relatively simple method to brute force Bluetooth encryption keys between two devices. If successful, an attacker could impersonate the device and access sensitive data.

This exploit appears to work at least partially on any device using Bluetooth 4.2 or later. Bluetooth 4.2 devices were reportedly deployed in late 2014, meaning the attack should theoretically work on most modern Bluetooth devices.

EURECOM has divided the attacks into six different styles, using the acronym BLUFFS to cover them all. As part of the report, EURECOM has presented a table of the devices they were able to spoof using these attacks and the success rate of each of the six types.

The Bluetooth Special Interest Group (SIG), the nonprofit body that oversees the development of the standard, acknowledged EURECOM's findings. In a security bulletin, the agency recommended that manufacturers implementing Bluetooth technology in their products follow strict security protocols to prevent this attack from working. However, it did not mention whether future versions of the connection would patch the vulnerability EURECOM discovered. The most recent Bluetooth standard, v5.4, was released in February 2023.