Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Bluetooth Flaws Allow Attackers to Impersonate Legitimate Devices

Bluetooth Flaws Allow Attackers to Impersonate Legitimate Devices

Attackers could abuse vulnerabilities discovered in the Bluetooth Core and Mesh Profile specifications to impersonate legitimate devices during the pairing process and launch man-in-the-middle (MitM) attacks.

The Bluetooth Core and Mesh Profile specifications define requirements needed by Bluetooth devices to communicate with each other and for Bluetooth devices using low energy wireless technology to enable interoperable mesh networking solutions.

Successfully exploiting the vulnerabilities found and reported by researchers at the Agence nationale de la sécurité des systèmes d’information (ANSSI), could enable the attackers to launch MitM attacks while within wireless range of vulnerable devices.

The Bluetooth Special Interest Group (Bluetooth SIG), the organization overseeing the development of Bluetooth standards, also issued security advisories earlier today, providing recommendations for each of the seven security flaws impacting the two vulnerable specs.

Detailed information on the discovered vulnerabilities, including the affected Bluetooth specs and links to Bluetooth SIG advisories and recommendations, is available in the table embedded below.

Also Read: The DNC Singapore: Looking at 2 Sides Better

CVE IDVulnerabilityAffected specsDetails
CVE-2020-26559Bluetooth Mesh Profile AuthValue leakMesh Profile Spec, v1.0 to v1.0.1SIG Security Notice
CVE-2020-26556Malleable commitment in Bluetooth Mesh Profile provisioningMesh Profile Spec, v1.0 to v1.0.1SIG Security Notice
CVE-2020-26557Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITMMesh Profile Spec, v1.0 to v1.0.1SIG Security Notice
CVE-2020-26560Impersonation attack in Bluetooth Mesh Profile provisioningMesh Profile Spec, v1.0 to v1.0.1SIG Security Notice
CVE-2020-26555Impersonation in the BR/EDR pin-pairing protocolCore Spec, v1.0B to 5.2SIG Security Notice
N/AAuthentication of the Bluetooth LE legacy-pairing protocolCore Spec, v4.0 to 5.2SIG Security Notice
CVE-2020-26558Impersonation in the Passkey entry protocolCore Spec, v2.1 to 5.2SIG Security Notice

“The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches,” the organization said.

“As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.”

Impacted vendors work on patching the flaws

The Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology, and Cradlepoint are among the vendors identified so far with products impacted by these security flaws, according to the Carnegie Mellon CERT Coordination Center (CERT/CC).

AOSP is working on publishing security updates to address the CVE-2020-26555 and CVE-2020-26558 vulnerabilities affecting Android devices.

“Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin,” AOSP told CERT/CC.

Cisco is also working on patching the CVE-2020-26555 and CVE-2020-26558 issues impacting its products.

“Cisco is tracking these vulnerabilities via incident PSIRT-0503777710,” the company said.

Also Read: 4 Best Practices on How to Use SkillsFuture Credit

“Cisco has investigated the impact of the aforementioned Bluetooth Specification vulnerabilities and is currently waiting for all the individual product development teams to provide Software fixes to address them.”

Although affected by some of the flaws, Intel, Red Hat, and Cradlepoint did not provide statements to CERT/CC before the vulnerabilities were disclosed.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us