Bluetooth flaw leaves everyone vulnerable to terrifying KNOB attack
The Bluetooth specification has been changed after security researchers discovered a vulnerability that enabled connections to be gatecrashed.
The Bluetooth SIG body acknowledged the possibility of Key Negotiation of Bluetooth, or KNOB, attacks, which could enable a bad actor to bypass the usual permissions protocol for pairing devices, which depends on both devices agreeing to the connection.
In a security notice published by the Bluetooth SIG, the organisation explained that an attacking device could reduce the length of the encyption key required to pair devices right down to single character.
From here, it would be possible to spy on data shared between two-devices simply by trying every available single character until the correct encryption key was used. The vulnerability even stretched to devices that had been previously paired, the researchers said.
It’s not known whether the method had ever been used by attackers to access device connections, but the Bluetooth SIG says there’s no evidence of it happening. Regardless, the likes of Microsoft and Apple have already patched their products to negate the problem.
Related: Best Bluetooth speakers 2019
In truth, it would take some remarkable circumstances for the flaw to be truly exploited, because the attacker would need to be in range and blow Bluetooth classic devices were vulnerable to the flaw.
“The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used,” the Bluetooth SIG wrote in the notice.
“In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet.
“In addition, the researchers identified that, even in cases where a Bluetooth specification did mandate a minimum key length, Bluetooth products exist in the field that may not currently perform the required step to verify the negotiated encryption key meets the minimum length. In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic.”