At the Bluetooth SIG, we strive to make Bluetooth the global standard for simple, secure wireless connectivity and security is of the utmost importance. If you have found a potential security issue in any Bluetooth specification, please contact us via email at [email protected]. For encrypted communication, you may use our public key.
We do our best to respond to security issues within 48 hours, but if you do not receive a response within this time frame, please feel free to follow up with us to ensure that we have received your original report.
Report Details
The following information will help us to evaluate your submission as quickly as possible. If available, please include in your report:
- Vulnerability type (security, privacy, availability/DoS, etc.)
- Affected specification and version
- Instructions to reproduce the issue
- A proof-of-concept (PoC)
Bluetooth Security Notices
| Vulnerability | Publication Date | Details | Specifications Affected | CVE [NVD] |
|---|---|---|---|---|
| BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses | 27/11/2023 | SIG Security Notice | Core Spec v4.2 to 5.2 | CVE-2023-24023 |
| Pairing Mode Confusion in BLE Passkey Entry | 09/12/2022 | SIG Security Notice | Core Spec v4.0 to 5.3 | CVE-2022-25836 |
| Pairing Mode Confusion in BR/EDR | 09/12/2022 | SIG Security Notice | Core Spec v1.0B to 5.3 | CVE-2022-25837 |
| InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections | 21/06/2021 | SIG Security Notice | Core Spec, v4.0 to 5.2 | CVE-2021-31615 |
| Bluetooth Mesh Profile AuthValue leak | 24/05/2021 | SIG Security Notice | Mesh Profile Spec, v1.0 to v1.0.1 | CVE-2020-26559 |
| Malleable commitment in Bluetooth Mesh Profile provisioning | 24/05/2021 | SIG Security Notice | Mesh Profile Spec, v1.0 to v1.0.1 | CVE-2020-26556 |
| Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITM | 24/05/2021 | SIG Security Notice | Mesh Profile Spec, v1.0 to v1.0.1 | CVE-2020-26557 |
| Impersonation attack in Bluetooth Mesh Profile provisioning | 24/05/2021 | SIG Security Notice | Mesh Profile Spec, v1.0 to v1.0.1 | CVE-2020-26560 |
| Impersonation in the BR/EDR pin-pairing protocol | 24/05/2021 | SIG Security Notice | Core Spec, v1.0B to 5.2 | CVE-2020-26555 |
| Authentication of the Bluetooth LE legacy-pairing protocol | 24/05/2021 | SIG Security Notice | Core Spec, v4.0 to 5.2 | N/A |
| Impersonation in the Passkey entry protocol | 24/05/2021 | SIG Security Notice | Core Spec, v2.1 to 5.2 | CVE-2020-26558 |
| Exploiting Cross-Transport Key Derivation | 09/09/2020 | SIG Security Notice | Core Spec, v4.2 to 5.0 | CVE-2020-15802 |
| Pairing Method Confusion | 18/05/2020 | SIG Security Notice |
Core Spec, v2.1 to v5.2 |
CVE-2020-10134 |
| Bluetooth Impersonation Attacks | 18/05/2020 | SIG Security Notice |
Core Spec, v2.1 to v5.2 |
CVE-2020-10135 |
| Key Negotiation of Bluetooth | 13/08/2019 | SIG Security Notice | Core Spec, v4.2, v5.0 and v5.1 | CVE-2019-9506 |
| Validation of Elliptic Curve Parameters | 23/07/2018 | SIG Security Notice | Core Spec, v2.1 to v5.0 | CVE-2018-5383 |
