In some versions of the BLURtooth attack, the authentication keys can be overwritten completely, while in other authentication keys can be downgraded to use weak encryption.
All devices using the Bluetooth standard 4.2 through 5.0 are vulnerable. The Bluetooth 5.1 standard comes with features that can be activated and prevent BLURtooth attacks.
Bluetooth SIG officials say they started notifying vendors of Bluetooth devices about the BLURtooth attacks and how they could mitigate its effects when using the 5.1 standard.
Patches... uhm... will be ready... when they're ready
Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering (tricking the human operator).
However, patches are expected to be available at one point. When they'll be, they'll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.
The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.
Users can keep track if their device has received a patch for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, the bug identifier of the BLURtooth vulnerability.
According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.
Anker PowerConf Bluetooth Speakerphone, in pictures