KNOB attack lets hackers insert themselves into your Bluetooth calls

Vulnerability allows attackers to ‘completely break’ Bluetooth encryption

Researchers have discovered a flaw in Bluetooth authentication protocols which allows hackers to listen in on conversations conducted via Bluetooth devices or to change the contents of file transfers.

The attack is codenamed KNOB, which stands for 'Key Negotiation Of Bluetooth', and was discovered by three international researchers: Kasper Rasmussen from Oxford University, Daniele Antonioli from the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security's Nils Ole Tippenhauer.

The KNOB attack works by forcing the participants in Bluetooth handshake to use an encryption key with just one byte of entropy, allowing an attacker to brute-force the key. They are then able to insert valid, cryptographically-signed data into the transfer, or to eavesdrop on data (including the audio of phone calls) being passed between devices.

"As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected," the researchers wrote in the technical paper explaining the flaw.

KNOB attacks are completely undetectable to the victims, as it attacks the key negotiation itself. It also doesn't violate the agreed Bluetooth industry standards, as one byte is the minimum level of entropy permitted by all BR/EDR standards, which also do not require that key negotiation protocols are secured. In short, this means that the firmware of any standard-compliant Bluetooth chip is vulnerable.

The researchers tested the exploit on 17 different Bluetooth chips across 24 different devices, including chips from Apple, Intel, Broadcom and Qualcomm. All the tested devices were found to be at the mercy of KNOB attacks. The vulnerability was disclosed to the Bluetooth industry - via the Bluetooth Special Interest Group (SIG), the CERT Coordination Centre and the International Consortium for Advancement of Cybersecurity on the Internet - in November last year.

"After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers said. "So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed."

The vulnerability, which has been designated as CVE-2019-9506, has now been addressed by the Bluetooth SIG, which has updated the core Bluetooth specification to recommend a minimum of 7 bytes of entropy for encryption keys. While it is urging vendors to patch their products to prevent the attack, the SIG has also advised that the chances of hackers exploiting the vulnerability in the wild are slim.

"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection," an advisory note from the Bluetooth SIG read. "If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window."

"There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability."

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021