1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Researchers reveal "KNOB" flaw that affects almost every Bluetooth device

By nanoguy ยท 13 replies
Aug 17, 2019
Post New Reply
  1. A newly discovered vulnerability in the Bluetooth protocol shows how a malicious actor can reduce the encryption strength for the keys used in the pairing of Bluetooth devices and gain complete control over them as a result. The flaw has been acknowledged by the official body that's in charge of the Bluetooth standard, and is serious enough that it required a change to the official specification.

    The way it works is quite creative: instead of trying to brute-force a pairing with your device, an attacker could instead try to interfere with the normal pairing procedure, when both devices have to agree on the connection using an exchange of public keys that verify their identities. These keys change every time, but if the attacker can guess them fast enough, they can force a shorter encryption key for the next pairing, as low as a single octet -- which is the size of one character.

    The flaw was discovered by researchers from the Singapore University of Technology and Design, Oxford, and CISPA Helmholtz Center for Information Security, who dubbed it KNOB, short for "Key Negotiation of Bluetooth." The tests were conducted on more than 17 different Bluetooth chips that are common in consumer products, and all of them were vulnerable to the KNOB attack.

    The findings were presented at the USENIX Security Symposium, and while Bluetooth Low Energy isn't affected by KNOB, traditional Bluetooth chips from major manufacturers like Intel, Broadcom, Qualcomm, Chicony and even Apple are vulnerable to the attack. The reason it was deemed as a serious flaw is that victims of a KNOB attack are none the wiser about it. It's also worth noting that it even works on previously paired devices, provided that both are vulnerable.

    On the upside, the whole attack is a race against time, and the hacker would have to be in range of the two devices at the exact moment the pairing takes place. Then, they'd have to "intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both," which is as challenging as it sounds. And the attack needs to be repeated this way every time encryption gets enabled.

    Bluetooth SIG notes there is no evidence that anyone has exploited the vulnerability in the wild, and while all current Bluetooth BR/EDR devices are susceptible to it, there is an easy fix that Microsoft and Apple are already rolling out. The Bluetooth Core Specification has also been changed to require manufacturers to hardcode a minimum encryption key length of seven octets (characters) in future devices.

    Earlier this year there was a similar revelation of a security flaw in the Bluetooth protocol that allows devices to be tracked using an easier exploit. And yet both vulnerabilities may be less of a reason to worry than the 10 percent tariffs that will reflect in the price of many devices imported in the US starting next month.

    Permalink to story.

  2. Nero7

    Nero7 TS Evangelist Posts: 498   +236

    Here we have the reason why I never enable bluetooth ever since it came out.

    Next please tell us about bluetooth headphones harming your brain.
  3. QuantumPhysics

    QuantumPhysics TS Evangelist Posts: 1,586   +1,188

    #1 The odds that you'll end up sitting next to a master hacker are more than 7 BILLION to 1

    #2 The odds that you'll be in a position to have a device that's worth the effort to hack, or even hackable are more than 7 BILLION to 1.
    Andromadus, Puiu and hahahanoobs like this.
  4. trparky

    trparky TS Evangelist Posts: 585   +499

    OK, so the hacker can listen in on my music. Big deal. That's about the only thing I use Bluetooth for, wireless audio.
    cliffordcooley likes this.
  5. toooooot

    toooooot TS Evangelist Posts: 952   +453

    2 questions, where do I get the software to control every BT device and how much?
  6. That last sentence is as out of left field as it is unnecessary: it has nothing whatsoever to do with the entire article and it doesn't even affect your non-US readers. Please stick to crying about it where it's relevant.
  7. Evernessince

    Evernessince TS Evangelist Posts: 4,170   +3,773

    No phone? No smart assistants? You don't need to utilize the functionality in order for them to hack it. This method can communicate with any device with Bluetooth.
  8. Hardware Geek

    Hardware Geek TS Booster Posts: 110   +89

    "traditional Bluetooth chips from major manufacturers like Intel, Broadcom, Qualcomm, Chicony and even Apple"

    Even apple? Because they are so well known for flawless hardware.. lmao
  9. trparky

    trparky TS Evangelist Posts: 585   +499

    Phone? Yes, but it's an iPhone and I'm sure that Apple will deliver an iOS update to close the vulnerability (or at least make it as close to closed as possible).

    Smart assistant? Nope! I will never let those darn things into my house!

    My desktop has a Bluetooth adapter for wireless audio but if a hacker gets within distance of my desktop in my own home I'm going to have more problems than that. The hacker will also have more problems since he's probably going to be having a very bad day finished with a trip to the hospital.
  10. netman

    netman TS Evangelist Posts: 378   +132

    Keeping your phone Location On is a lot riskier than keeping your phone Bluetooth on....
  11. gamerk2

    gamerk2 TS Maniac Posts: 287   +177

    You can't patch this OS side without breaking Bluetooth paring in the process; that's why the official Bluetooth specification is being changed.

    So the fact is, your wireless headphones allows an attack vector into your phone. That's why a growing number of workplaces are banning such devices, as they are inherently a security risk.
  12. lexster

    lexster TS Guru Posts: 611   +299

    There's a simple solution to this; DON'T USE WIRELESS!

    Wireless devices, by their very nature and design, are inherently insecure! Don't use them unless you have no other choice, and then consider doing without.
  13. Markoni35

    Markoni35 TS Addict Posts: 312   +130

    Bluetooth was engineered as a Troyan from the very start. It's a security hole common to all the popular devices (desktops, laptops, cellphones, smart TVs, cars, etc). Even if you install Linux on your computer, it will have BT turned on by default, and there's no way to switch it off using the Settings panels and dialogs.

    You can switch off WiFi, you can switch off everything, but not BT. Why would they make BT so hard to kill? Because it's a deliberate attack vector. Even on Linux. So don't think that Linux is safe. Same people that open security holes in Intel CPUs (and others) also open holes in software. Including the open-source software.

    Good thing is that BT still runs as a normal service (at least for now). So you can kill it normally as you would any other service, either from the Services window, or from the command-line.
  14. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,816   +1,180

    Phones have a big bluetooth button you can use to turn it off, the same with Windows you can definitely turn it off.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...