“KNOB” Security Flaw Exploits All Versions Of Bluetooth Devices
There are times when technology becomes too ubiquitous and too accessible by the public for its own good, it becomes a favorite target of cybercriminals. Discovery of vulnerability by security researchers is a good thing, but may just be the tip of the iceberg. One such technology is Bluetooth, which every new version often comes with “patches” to fix the older version. The latest version at the time of this writing is Bluetooth v5.1, which added more features compared to older versions but at the same time, fixes the security flaws introduced by the previous version (v5.0).
Now, with version 5.1 a critical security flaw documented under CVE-2019-9506 has been exposed by the Center for IT-Security, Privacy, and Accountability (CISPA), in partnership with Amazon, Apple, Intel, Microsoft, and Cisco. Credit goes to the following security researchers: Prof. Kasper Rasmussen, University of Oxford, England; Dr. Nils Ole Tippenhauer, CISPA, Germany and Daniele Antonioli from SUTD, Singapore. The bug was demonstrated publicly in the currently ongoing (at the time of this writing) USENIX Security Symposium. The group calls the vulnerability as “KNOB” which affects all Bluetooth devices complying with version 1.0 to 5.1. It provides the attacker the capability to dilute the effectiveness of encryption of Bluetooth devices through shortening the length of the encryption key to just a single octet. With this process, a simple brute-force attack will be enough to break the otherwise secure Bluetooth encryption process.
“The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key use. In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet,” explained by Bluetooth Special Interest Group’s (BSig) Security Notice Press Release.
A successful brute-force attack will then provide full access to the device connections, enabling the attackers to act as a man-in-the-middle during the pairing process between Bluetooth host and client. This manipulation capability includes inserting Bluetooth commands, track keystrokes and launch resident monitor for the PAN (Personal Area Network – the network type established by Bluetooth devices between one another).
The good news though is the fact that it is not easy to exploit. The attacker needs to make sure that the two devices communicating are BR/EDR spec-compliant. Since we’re talking about Bluetooth devices, he needs to be in proximity of the devices that he wants to exploit. And successful penetration needs to be repeated in the event the two device gets unpaired (which resets the encryption key).
“Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections. The Bluetooth SIG will also include testing for this new recommendation within our Bluetooth Qualification Program. In addition, the Bluetooth SIG strongly recommends that product developers update existing solutions to enforce a minimum encryption key length of 7 octets for BR/EDR connections,” concluded BSig.