SWRA674 May   2020  – MONTH  CC1350 , CC1352P , CC1352R , CC2560 , CC2560B , CC2564 , CC2564C , CC2564MODA , CC2564MODN , CC2640R2F , CC2640R2F-Q1 , CC2640R2L , CC2642R , CC2642R-Q1 , CC2650 , CC2652P , CC2652R , CC2652R7 , CC2652RB , CC2652RSIP , WL1831MOD , WL1835MOD , WL1837MOD


  1. 1TI-PSIRT-2020-020038


CVEID: CVE-2020-10134

Publication date: May 18, 2020


Bluetooth® Special Interest Group (SIG) has issued recommendations based on findings from researchers at the Technical University of Munich (TUM) regarding a potential security vulnerability, enabling an attacking device to successfully intercede as a man-in-the-middle between two pairing devices. To do this, the attacker must negotiate a numeric compare procedure with one device and a passkey pairing procedure with the other, and the user must erroneously enter the numeric compare value as the passkey and accept pairing on the numeric compare device.

Potentially impacted features

An attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing either an LE or a BR/EDR encrypted connection using the passkey entry or numeric comparison for device authentication without existing shared credentials (LTK or link key). At least one device must permit entry of a passkey, and the other must support a display capable of representing six decimal digits.

Suggested mitigations

All devices supporting BluetoothLE Secure Connections Pairing and Secure Simple Pairing are potentially vulnerable to this attack. Bluetooth SIG suggests recommendations that can be implemented at the application layer. Please see the Bluetooth SIG notice regarding the Method Confusion pairing vulnerability for details.

External references

Revision history

  • Version 1.0 Initial publication