Researchers have discovered a flaw in Bluetooth authentication protocols which allows hackers to listen in on conversations conducted via Bluetooth devices or to change the contents of file transfers.
The attack is codenamed KNOB, which stands for 'Key Negotiation Of Bluetooth', and was discovered by three international researchers: Kasper Rasmussen from Oxford University, Daniele Antonioli from the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security's Nils Ole Tippenhauer.
The KNOB attack works by forcing the participants in Bluetooth handshake to use an encryption key with just one byte of entropy, allowing an attacker to brute-force the key. They are then able to insert valid, cryptographically-signed data into the transfer, or to eavesdrop on data (including the audio of phone calls) being passed between devices.
"As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected," the researchers wrote in the technical paper explaining the flaw.
KNOB attacks are completely undetectable to the victims, as it attacks the key negotiation itself. It also doesn't violate the agreed Bluetooth industry standards, as one byte is the minimum level of entropy permitted by all BR/EDR standards, which also do not require that key negotiation protocols are secured. In short, this means that the firmware of any standard-compliant Bluetooth chip is vulnerable.
The researchers tested the exploit on 17 different Bluetooth chips across 24 different devices, including chips from Apple, Intel, Broadcom and Qualcomm. All the tested devices were found to be at the mercy of KNOB attacks. The vulnerability was disclosed to the Bluetooth industry - via the Bluetooth Special Interest Group (SIG), the CERT Coordination Centre and the International Consortium for Advancement of Cybersecurity on the Internet - in November last year.
"After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers said. "So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed."
The vulnerability, which has been designated as CVE-2019-9506, has now been addressed by the Bluetooth SIG, which has updated the core Bluetooth specification to recommend a minimum of 7 bytes of entropy for encryption keys. While it is urging vendors to patch their products to prevent the attack, the SIG has also advised that the chances of hackers exploiting the vulnerability in the wild are slim.
"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection," an advisory note from the Bluetooth SIG read. "If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window."
"There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.