Researchers release details on security flaw that affects almost all Bluetooth devices

KNOB, which is short for Key Negotiation of Bluetooth, is a security flaw that's present in the Bluetooth communication protocol.

According to the security researchers, almost all Bluetooth devices on the market are prone to KNOB attacks. The researchers revealed the flaw in late 2018 to the industry, namely the Bluetooth Special Interest Group (Bluetooth SIG), as well as the CERT Coordination Center and the International Consortium for Advancement of Cybersecurity on the Internet (ICASI).

This security flaw is pressing enough for Bluetooth SIG to update the Bluetooth Core Specification. The exploit involves the attacker attempting to interfere with the Bluetooth BR/EDR (Bluetooth Basic Rate/ Enhanced Data Rate) communication between two Bluetooth devices during their pairing.

The vulnerability stems from the lack of a mandated length of the encryption key used during Bluetooth BR/EDR communication.

As a result, the attacker can possibly intercept the negotiating messages between the two devices and manipulate the entire process to "accept" an encryption key that has low entropy, and it can be as little as a 1 byte (8 bits), i.e., a single character.

However, this attack needs to be done in an extremely short window period, and the attacker needs to be close to the pairing Bluetooth devices.

Once the Bluetooth BR/EDR communication has been compromised by "agreeing" to the manipulated encryption key length, the attacker has to carry out a brute-force attack to guess the encryption key in order to decrypt communications.

According to the researchers, this attack warrants immediate attention because it's effective, hard to detect and low-cost. The attack works even if the Bluetooth devices have enabled their security modes.

The Bluetooth SIG has stated there isn't any evidence that the attack has been carried out but it has updated its specifications to recommend a minimum encryption key length of 7 octets (bytes) for BR/EDR connections. The body has also communicated details and its remedy to their members, encouraging "to rapidly integrate any necessary patches."

The researchers have assured that if your Bluetooth device has been updated late last year in 2018, it should be safe from KNOB attacks. This is based on the assumption that respective equipment manufacturers have updated their drivers and firmware.

The researchers hailed from Singapore University of Technology and Design, CISPA Helmholtz Centre for Information Security and University of Oxford. They have presented their findings at the USENIX Security Symposium and shared their POC on GitHub. They observed an embargo period so as to allow affected equipment manufacturers to rectify their products' vulnerability.

Vendors like Apple, Lenovo, and Intel have already issued advisories to address KNOB. Another reason to breathe a sigh of relief is Bluetooth LE devices appear to be safe from KNOB attacks for now. These devices include heart rate monitors and fitness trackers.

Do visit Bluetooth SIG as well as CERT Coordination Centre for their official response to KNOB.

This article was first published in Hardware Zone.