Researchers have discovered a flaw in Bluetooth authentication protocols which allows hackers to listen in on conversations conducted via Bluetooth devices or to change the contents of file transfers.
The attack is codenamed KNOB, which stands for 'Key Negotiation Of Bluetooth', and was discovered by three international researchers: Kasper Rasmussen from Oxford University, Daniele Antonioli from the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security's Nils Ole Tippenhauer.
The KNOB attack works by forcing the participants in Bluetooth handshake to use an encryption key with just one byte of entropy, allowing an attacker to brute-force the key. They are then able to insert valid, cryptographically-signed data into the transfer, or to eavesdrop on data (including the audio of phone calls) being passed between devices.
"As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected," the researchers wrote in the technical paper explaining the flaw.
KNOB attacks are completely undetectable to the victims, as it attacks the key negotiation itself. It also doesn't violate the agreed Bluetooth industry standards, as one byte is the minimum level of entropy permitted by all BR/EDR standards, which also do not require that key negotiation protocols are secured. In short, this means that the firmware of any standard-compliant Bluetooth chip is vulnerable.
The researchers tested the exploit on 17 different Bluetooth chips across 24 different devices, including chips from Apple, Intel, Broadcom and Qualcomm. All the tested devices were found to be at the mercy of KNOB attacks. The vulnerability was disclosed to the Bluetooth industry - via the Bluetooth Special Interest Group (SIG), the CERT Coordination Centre and the International Consortium for Advancement of Cybersecurity on the Internet - in November last year.
"After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers said. "So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed."
The vulnerability, which has been designated as CVE-2019-9506, has now been addressed by the Bluetooth SIG, which has updated the core Bluetooth specification to recommend a minimum of 7 bytes of entropy for encryption keys. While it is urging vendors to patch their products to prevent the attack, the SIG has also advised that the chances of hackers exploiting the vulnerability in the wild are slim.
"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection," an advisory note from the Bluetooth SIG read. "If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window."
"There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability."
-
Global cybersecurity spending is set to rise 12% in 2025 – here are the industries ramping up investmentNews Global cybersecurity spending is expected to surge this year, fueled by escalating state-sponsored threats and the rise of generative AI, according to new analysis from IDC.
-
Google Cloud is leaning on all its strengths to support enterprise AIAnalysis Google Cloud made a big statement at its annual conference last week, staking its claim as the go-to provider for enterprise AI adoption.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
Busting nine myths about file-based threatsWhitepaper Distinguish the difference between fact and fiction when it comes to preventing file-based threats
