Security researchers have said that bluetooth devices are prone to a new vulnerability dubbed ‘KNOB’ that allows attackers to easily brute force the encryption key which is used for pairing to devices via Bluetooth.
In a coordinated disclosure between the Center for IT-Security, Privacy, and Accountability (CISPA), ICASI, it has been found that the flaw affects Bluetooth BR/EDR devices that use version 1.0-5.1. The flaw has been tracked as CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection.
The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used.
Researchers further noted that, “For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection.”
Once the attackers manage to get the encryption key, they can monitor or manipulate traffic transferred between two paired devices. This includes potentially injecting commands, monitoring keystrokes and other types of behavior.
“In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic,” added the researchers.
Exploiting this vulnerability is not an easy task as there are some limitations such as the following.
- Both devices need to be Bluetooth BR/EDR.
- The attack is possible if the attacker is within the Bluetooth range of the targeted device.
- The attacker can repeat the attack only when the devices are paired, in case of a failure.
Bluetooth users should install the latest recommended updates from their respective device and operating system manufacturers. The Bluetooth specification has updated to a minimum encryption key length of 7 octets for BR/EDR connections.