KNOB attack lets hackers insert themselves into your Bluetooth calls

Vulnerability allows attackers to ‘completely break’ Bluetooth encryption

Researchers have discovered a flaw in Bluetooth authentication protocols which allows hackers to listen in on conversations conducted via Bluetooth devices or to change the contents of file transfers.

The attack is codenamed KNOB, which stands for 'Key Negotiation Of Bluetooth', and was discovered by three international researchers: Kasper Rasmussen from Oxford University, Daniele Antonioli from the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security's Nils Ole Tippenhauer.

Advertisement - Article continues below

The KNOB attack works by forcing the participants in Bluetooth handshake to use an encryption key with just one byte of entropy, allowing an attacker to brute-force the key. They are then able to insert valid, cryptographically-signed data into the transfer, or to eavesdrop on data (including the audio of phone calls) being passed between devices.

"As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected," the researchers wrote in the technical paper explaining the flaw.

KNOB attacks are completely undetectable to the victims, as it attacks the key negotiation itself. It also doesn't violate the agreed Bluetooth industry standards, as one byte is the minimum level of entropy permitted by all BR/EDR standards, which also do not require that key negotiation protocols are secured. In short, this means that the firmware of any standard-compliant Bluetooth chip is vulnerable.

Advertisement
Advertisement - Article continues below

The researchers tested the exploit on 17 different Bluetooth chips across 24 different devices, including chips from Apple, Intel, Broadcom and Qualcomm. All the tested devices were found to be at the mercy of KNOB attacks. The vulnerability was disclosed to the Bluetooth industry - via the Bluetooth Special Interest Group (SIG), the CERT Coordination Centre and the International Consortium for Advancement of Cybersecurity on the Internet - in November last year.

Advertisement - Article continues below

"After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers said. "So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed."

The vulnerability, which has been designated as CVE-2019-9506, has now been addressed by the Bluetooth SIG, which has updated the core Bluetooth specification to recommend a minimum of 7 bytes of entropy for encryption keys. While it is urging vendors to patch their products to prevent the attack, the SIG has also advised that the chances of hackers exploiting the vulnerability in the wild are slim.

"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection," an advisory note from the Bluetooth SIG read. "If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window."

"There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/hacking/355806/anarchygrabber-hack-steals-discord-tokens-ids-and-passwords
hacking

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020
Visit/security/hacking/355801/scammers-using-coronavirus-contact-tracing-in-hacking-attempt
hacking

Scammers leverage contact-tracing in hacking attempt

27 May 2020
Visit/security/phishing/355793/gitlab-phishes-its-remote-employees-and-1-in-5-fell-for-it
phishing

GitLab phished its employees and 20% handed over credentials

26 May 2020
Visit/security/cyber-security/355791/cyberpeace-institute-urges-governments-to-work-together-to-stop
cyber security

Governments urged to work together to stop health care cyber attacks

26 May 2020

Most Popular

Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020
Visit/mobile/5g/355712/nokia-5g-speed-record
5G

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020