A vulnerability published on November 28, 2023, under CVE-2023-24023, appears to affect almost all Bluetooth devices. This was discovered by the French assistant professor and researcher at Eurecom, Daniele Antonioli.
It involves a so-called man-in-the-middle attack, where an attacker needs to be in proximity to two devices attempting to connect via Bluetooth or that are already connected. The attack exploits a feature of Bluetooth intentionally woven deep into the architecture of this protocol. If the attacker pretends to be one of the two connected devices by spoofing it, they can then request the other device to lower the encryption strength.
To facilitate the collaboration of Bluetooth devices across different generations, this is an intentional capability. As a result, the connection will use the best possible encryption, with the less capable device determining the encryption strength.
For this reason, an attacker posing as one of the two devices can tell the other device that the encryption should be less secure, claiming it cannot handle stronger encryption. This request will then be followed. Afterward, the attacker can cease broadcasting and switch to only intercepting (or eavesdropping). The communication between the two devices will now proceed with weaker encryption.
Now that the encryption is weaker, the attacker can employ powerful modern hardware and software to crack this communication while continuing to intercept the communication between the two devices.
This attack has been feasible since Bluetooth version 4.2 and remains possible up to the latest version of Bluetooth, which is version 5.4. Due to the intentional incorporation of this attack method in Bluetooth, finding a solution is virtually impossible.
Possibly, the use of "Secure Connections," a security feature of Bluetooth, may provide some relief, as indicated by the discoverer of the flaw. Furthermore, a user of Bluetooth devices has limited options to defend against this attack.