![\"\"](\"https:\/\/gtechbooster.com\/media\/2025\/10\/26002.jpg\")
<\/a><\/div><\/div>The vulnerability was reported in a paper given at this year’s USENIX Security Symposium in California. The researchers, Kasper B. Rasmussen from Oxford University, Daniele Antonioli of Singapore University of Technology, and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security, gave a paper on how a brute-force attack can be used to target a weakness in the firmware of a Bluetooth chip to let hackers set up a man-in-the-middle attack using packet injection. The attack can then be used to gain access to sensitive data.<\/p>\n\n\n\n
The researchers say the attack can be carried out without any \nknowledge of encryption keys, and the way it works is to make Bluetooth \nusers rely an encryption key with only 1 byte of entropy – keys that are\n one character long. While such keys do secure a Bluetooth-paired \nconnection, they’re susceptible to a brute-force attack. Most Bluetooth \nconnections would use a longer key, but Bluetooth doesn’t check for \nchanges in the entropy of encryption keys, and the pre-pairing stage \nisn’t encrypted.<\/p>\n\n\n\n
The entropy negotiation is performed over the Link Manager Protocol \n(LMP), and it is transparent to the Bluetooth users because LMP packets \nare managed by the firmware of the Bluetooth chips and they are not \npropagated to higher layers. In the negotiation, the first device \nsuggests a key length for encryption, and the second device accepts \nwhatever key length is suggested. This means that if an attacker finds a\n way to intercept the non-encrypted negotiation and alter the key \nlength, the devices will both use the shorter key. The attacker can then\n use brute force to crack the negotiated encryption keys, decrypt the \ninformation being exchanged, and inject valid encrypted messages in \nrealtime.<\/p>\n\n\n\n
The attack goes undetected because the encryption key negotiation is transparent to the Bluetooth users, and is:<\/p>
![\"\"](\"https:\/\/gtechbooster.com\/media\/2026\/03\/005.webp\")
<\/a><\/div><\/div>\n\n\n\n “standard-compliant because all \nBluetooth BR\/EDR versions require to support encryption keys with \nentropy between 1 and 16 bytes and do not secure the key negotiation \nprotocol. As a result, the attacker completely breaks Bluetooth BR\/EDR \nsecurity without being detected.”<\/em><\/p>\n\n\n\n Implementing such an attack would require devices such as a Bluetooth\n protocol analyzer along with a brute force script. It would still be \ndifficult to difficult such an attack, but the researchers said it would\n also be possible for a firmware attack where the firmware of the \nBluetooth chip of a single victim would be compromised using techniques \nsuch as backdoors, supply-chain implants, or rogue chip manufacturers.<\/p>\n\n\n\n Before giving the paper, the researchers had explained their findings\n to the Bluetooth Special Interest Group (SIG) along with other bodies \nincluding the the International Consortium for Advanced Cybersecurity on\n the Internet. SIG says it has updated the Bluetooth Core Specification \nto recommend the use of encryption keys with a minimum of 7 bytes of \nentropy. Manufacturers of devices using Bluetooth are putting out \nupdates.<\/p>\n\n\n\n The researchers tested 17 Bluetooth chips from Apple, Broadcom, \nChicony, Intel and Qualcomm, and found they were all susceptible to \nattack. The full list can be read online<\/a>.<\/p>\n\n\n\n At the time of writing, Blackberry included a patch for its Android devices in June, and Google included the patch in its August 5 Android update.<\/p>\n\n\n\nMore Information<\/h2>\n\n\n\n
![\"\"](\"https:\/\/gtechbooster.com\/media\/2025\/08\/jesdphis.avif\")
<\/a><\/div><\/div>","protected":false},"excerpt":{"rendered":"