The Bluetooth SIG group has issued a security notice giving details about a major bug in the technology’s protocols. It is known as the KNOB Bluetooth vulnerability and it affects the security and privacy of millions devices, especially IOT ones.
The KNOB Bluetooth Vulnerability Is a Serious Issue Concerning Bluetooth-Enabled Devices
A team of security specialists have detected a critical threat that affects Bluetooth-enabled devices. It is known as the KNOB Bluetooth vulnerability and effectively allows malicious operators to attack target end devices while at the same time stealing sensitive encryption keys during the connection initiation process. As a consequence the criminals will be able to hijack all traffic and user interactions. All of this represents a tremendous threat to Bluetooth devices however the problem has been found to be coming from the protocol standards themselves. The security reports indicate that the issue comes from the technical specifications which were created 20 years ago!
The KNOB Bluetooth vulnerability can be used against devices that feature the technology from v1.0 to 5.1. In short the attackers can be used to make two or more victim devices to use a single encryption key during the initial connection request. When this is done the hackers will be able to very easily brute force it actively eavesdrop on the contents. As a consequence the following malicious actions can be undertaken:
- Surveillance of the Victims
- Manipulation of Contents
- Injecting Code and Data in Active Transmissions
The affected Bluetooth device owners will have no knowledge that this is done as the flaw affects them on a protocol level and there can be no notification that the hackers have accessed their data. The posted security disclosure notes that chips from all major manufacturers are affected: Intel, Apple, Broadcom and Qualcomm.
At the moment there is no information if there are any exploits done by malicious users. To remediate this issue the Bluetooth SIG group is recommending that all manufacturers change the number of key length sizes in the Bluetooth protocol implementation in their chips and devices. This will make it significantly harder to brute force the keys. Users should expect firmware updates in the coming months that will hopefully fix the KNOB Bluetooth vulnerability.