These critical Bluetooth vulnerabilities allow hackers to impersonate legitimate devices

Successful exploitation of Bluetooth vulnerabilities found and reported by researchers from the Agence nationale de la cheurité des systèmes d'information (ANSSI) could allow attackers to perform MitM attacks within wireless micro of vulnerable devices.

Earlier today, the Bluetooth Special Interest Group (Bluetooth SIG), the organization that oversees the development of Bluetooth standards, also released security advice and recommendations for each of the seven security flaws. affects two vulnerable specification.

Details of the discovered vulnerabilities, including the affected Bluetooth specification and link to the Bluetooth SIG recommendations and advisories, are shown in the table below.

'The Bluetooth SIG is also making the details of this vulnerability and remedial measures widely available to our member companies and is encouraging them to quickly integrate any needed patches. Which device' - organize information. "As always, Bluetooth users should ensure they have installed the latest updates recommended by device and operating system manufacturers."

According to the Carnegie Mellon CERT Coordination Center (CERT/CC), the Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology, and Cradlepoint are companies whose products are affected by these vulnerabilities.

AOSP is working hard to publish security updates to address vulnerabilities CVE-2020-26555 and CVE-2020-26558 affecting Android devices.

"Android has assessed this issue as high severity for the Android operating system and will release a patch for this vulnerability in an upcoming Android security bulletin," AOSP told CERT/CC.

Cisco is also working to patch issues CVE-2020-26555 and CVE-2020-26558 affecting its products.

"Cisco is monitoring these vulnerabilities through issue PSIRT-0503777710," the company said. "Cisco has investigated the impact of the aforementioned Bluetooth specification vulnerabilities and is currently waiting for all teams to release them. individual product developers provide Software fixes to address them".

Although affected by a number of vulnerabilities, Intel, Red Hat, and Cradlepoint did not provide information to CERT/CC prior to the vulnerability being disclosed.

Marvin Fry

Update 25 May 2021