KNOB attack lets hackers insert themselves into your Bluetooth calls

Vulnerability allows attackers to ‘completely break’ Bluetooth encryption

Researchers have discovered a flaw in Bluetooth authentication protocols which allows hackers to listen in on conversations conducted via Bluetooth devices or to change the contents of file transfers.

The attack is codenamed KNOB, which stands for 'Key Negotiation Of Bluetooth', and was discovered by three international researchers: Kasper Rasmussen from Oxford University, Daniele Antonioli from the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security's Nils Ole Tippenhauer.

Advertisement - Article continues below

The KNOB attack works by forcing the participants in Bluetooth handshake to use an encryption key with just one byte of entropy, allowing an attacker to brute-force the key. They are then able to insert valid, cryptographically-signed data into the transfer, or to eavesdrop on data (including the audio of phone calls) being passed between devices.

"As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected," the researchers wrote in the technical paper explaining the flaw.

KNOB attacks are completely undetectable to the victims, as it attacks the key negotiation itself. It also doesn't violate the agreed Bluetooth industry standards, as one byte is the minimum level of entropy permitted by all BR/EDR standards, which also do not require that key negotiation protocols are secured. In short, this means that the firmware of any standard-compliant Bluetooth chip is vulnerable.

Advertisement
Advertisement - Article continues below

The researchers tested the exploit on 17 different Bluetooth chips across 24 different devices, including chips from Apple, Intel, Broadcom and Qualcomm. All the tested devices were found to be at the mercy of KNOB attacks. The vulnerability was disclosed to the Bluetooth industry - via the Bluetooth Special Interest Group (SIG), the CERT Coordination Centre and the International Consortium for Advancement of Cybersecurity on the Internet - in November last year.

Advertisement - Article continues below

"After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers said. "So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed."

The vulnerability, which has been designated as CVE-2019-9506, has now been addressed by the Bluetooth SIG, which has updated the core Bluetooth specification to recommend a minimum of 7 bytes of entropy for encryption keys. While it is urging vendors to patch their products to prevent the attack, the SIG has also advised that the chances of hackers exploiting the vulnerability in the wild are slim.

"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection," an advisory note from the Bluetooth SIG read. "If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window."

"There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020