A significant security vulnerability in Bluetooth has left millions of smartphones and other devices at risk of attack, researchers have said.
The flaw would allow an attacker to more easily brute force the encryption key used by devices during pairing to monitor or even manipulate the data transferred between two paired devices.
The vulnerability has been given the name “Key Negotiation of Bluetooth attack” or “KNOB” for short and it affects Bluetooth BR/EDR devices using specification versions 1.0 to 5.1.
News of the KNOB vulnerability was revealed in a coordinated disclosure between the Center for IT-Security, Privacy and Accountability (CISPA), ICASI and ICASI members including Microsoft, Apple, Intel, Cisco and Amazon.
The flaw itself allows an attacker to reduce the length of the encryption key used for establishing a connection and in some cases, the length of the encryption key could be reduced to just a single octet making Bluetooth devices much easier to access.
A security advisory on Bluetooth.com, provided further insight on how the KNOB vulnerability functions, saying:
“The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used. In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet.”
After figuring out the Bluetooth keys of two devices, attackers could then monitor and manipulate the data being sent between them. This would even allow them to inject commands, monitor key strokes and carry out other types of malicious behavior. Fortunately, ICASI has not yet seen this attack method used maliciously nor have any devices been created to initiate this type of attack.
Exploiting the KNOB vulnerability would also be difficult because both devices need to be Bluetooth BR/EDR, the attacker would need to be within range of the devices while they establish a connection and the attack would also need to be repeated every time the devices paired. The Bluetooth specification has also been updated to recommend a minimum encryption key length of seven octets for BR/EDR connections to resolve this vulnerability.