Newly discovered flaw infects bluetooth-enabled devices, say researchers

In News

Security researchers have said that bluetooth devices are prone to a new vulnerability dubbed ‘KNOB’ that allows attackers to easily brute force the encryption key which is used for pairing to devices via Bluetooth.

In a coordinated disclosure between the Center for IT-Security, Privacy, and Accountability (CISPA), ICASI, it has been found that the flaw affects Bluetooth BR/EDR devices that use version 1.0-5.1. The flaw has been tracked as CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection.

The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used.

Researchers further noted that, “For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection.”

Once the attackers manage to get the encryption key, they can monitor or manipulate traffic transferred between two paired devices. This includes potentially injecting commands, monitoring keystrokes and other types of behavior.

“In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic,” added the researchers.

Exploiting this vulnerability is not an easy task as there are some limitations such as the following.

  • Both devices need to be Bluetooth BR/EDR.
  • The attack is possible if the attacker is within the Bluetooth range of the targeted device.
  • The attacker can repeat the attack only when the devices are paired, in case of a failure.

Bluetooth users should install the latest recommended updates from their respective device and operating system manufacturers. The Bluetooth specification has updated to a minimum encryption key length of 7 octets for BR/EDR connections.

 

Comments

You may also read!

Help AG and SentinelOne to arm enterprises against endpoint attacks

Help AG has partnered with SentinelOne to thwart the efforts of cybercriminals that have shifted their focus towards targeting

Read More...

ESET’s Endpoint Security picks up Top Player position

ESET, a global leader in cybersecurity has been recognized as a ‘Top Player’ for the second consecutive year in

Read More...

SophosLabs 2020 Threat Report released

Sophos, today launched its 2020 Threat Report providing insights into the rapidly evolving cyberthreat landscape. The report, produced by SophosLabs researchers,

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu