Security specialists have just revealed another vulnerability in the popular standard, which allows you to take over the device remotely without major difficulties. Manufacturers of mobile devices are already preparing patches.
The vulnerability was named KNOB and affects almost every device equipped with Bluetooth connectivity, and it is a vulnerability in the authorization protocol that can be used to conduct a man in the middle attack between two paired devices. But what is most important in all this, according to researchers, there is no evidence that anyone used it in this way. However, this is possible because the vulnerability reduces the encryption strength of the combination used to connect two devices together and take complete control over them, and the case is so serious that it requires changes to the official Bluetooth specification.
And how exactly does this vulnerability work? Quite creative, because the attacker instead of using the brute force attack, i slick tips.e. breaking passwords by checking all possible combinations, can join the pairing process, where devices voluntarily connect to each other, exchanging public keys. Although the keys change with each pairing, but if the attacker gains access to them early enough, they can force a shorter key during the next verification, even a 1-symbol one, while remaining unnoticed.
The vulnerability was detected by researchers at Singapore University of Technology and Design, Oxford and CISPA Helmholtz Center for Information Security, who named it KNOB from Key Negotiation of Bluetooth. Tests were carried out using more than 17 different Bluetooth chips that are popular in consumer products and it turned out that all of them are vulnerable to the attack using the vulnerability – Intel, Broadcom, Qualcomm, Chicony or Apple, no manufacturer has avoided vulnerability, and only devices using Bluetooth Low Energy turned out to be insensitive.
However, what is worth emphasizing, although this vulnerability is widespread and affects almost all Bluetooth devices, its use forces the attacker into very specific conditions. e.g. it must be in range of both devices during the pairing process, and then intercept, manipulate and resend negotiation messages regarding the key length to both devices, while blocking transmission from both. What’s more, the whole process must be repeated every time encryption is turned on, so this is a big challenge for a hacker – one way or another, you can not underestimate this, so the largest manufacturers are already releasing the appropriate patches, and Bluetooth SIG changes the specification of the standard, forcing manufacturers to use a key of at least 7 characters in future devices.