Authorities say millions of devices vulnerable to the ‘BLURtooth’ info leak bug.

BLURtooth was discovered by researchers at École Polytechnique Fédérale de Lausanne in France and Purdue University in the United States. It allows strong encryption keys to be overwritten or weakened.

Carnegie Mellon University's computer emergency response team (CERT) says the Cross-Transport Key Derivation (CTKD) vulnerability allows access to profiles and services offered by Bluetooth devices.

The bug comes from an implementation flaw in Bluetooth Classic and Low Energy (BLE) specifications 4.2 to 5.0.

The tech industry’s Bluetooth Special Interest Group (SIG) has made some recommendations, and says it is talking to members about patches for BLURtooth.