A research team has publicized about a vulnerability in Bluetooth that may affect nearly every device that supports the wireless communication protocol. Chipmakers were made aware of the so-called Key Negotiation of Bluetooth (KNOB) Attack in November. BlackBerry and Google have announced patches for Android devices.
Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.
In short, the vulnerability occurs in the encryption key generation process when two devices are pairing. Specifically, an entropy load to obscure the key while in transit is negotiated in an unencrypted fashion and can be easily interfered with either by a man-in-the-middle attack or bad code injected into a Bluetooth chip's firmware. The devices can be deceived into agreeing on an entropy load as small as — as dictated by Bluetooth specification — 1 byte, thus making it relatively easy to brute force the encryption key. The host devices are not aware of the key negotiation process, only of the key generated.
The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploit this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.
What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.
This issue does not affect Bluetooth Low Energy connections.
Daniele Antonioli of Singapore University of Technology and Design, Nils Ole Tipphenhauer of the Helmholtz Center for Information Security, and Kasper B. Rasmussen of the University of Oxford tested 17 unique chips from Broadcom, Qualcomm, Apple, Intel, and Chicony, finding all of them susceptible to attack. CVE-2019-9506 is available for inspection.
As mentioned above, BlackBerry patched its Android devices that support its June update and later. Google also fixed the issue on its August 5 level patch and has added the fix to it's August 1 level update for its Pixel phones — unfortunately, that means other early adopters for Android security updates aren't safe with the supplied August 1 level patch, but at least they'll be taken care of earlier than some other OEMs.
While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:
Letowon Saitoti Abdi, Senior Technical Support Officer.