Bluetooth 4.2 and newer can be brute-force attacked, putting billions of devices at risk

Bluetooth Auracast headphones and logo

Credit: Robert Triggs / Android Authority
  • A French research team with EURECOM has discovered a scary Bluetooth security flaw.
  • Using a brute-force attack, a man-in-the-middle (MitM) operator could spoof two connected devices using Bluetooth 4.2 or newer.
  • The Bluetooth SIG has acknowledged the flaw and made suggestions for OEMs to keep consumers safe.

With smartphones rarely incorporating headphone jacks anymore, billions of users have had to rely on Bluetooth headsets for their audio needs. Historically, this has been secure. There’s an encrypted connection between your phone and your headset, for example.

However, a French team at EURECOM has found a significant flaw in the security between two devices connected via Bluetooth. As first spotted by Bleeping Computer, the published paper on this exploit shows a relatively simple method for brute-force attacking the BT encryption keys between two devices. If successful, the attacker could spoof the devices and access potentially sensitive data.

Be the first to comment

Give Feedback About This Article