Key Negotiation Of Bluetooth (KNOB) attack

Aug 16, 2019 15:32 GMT  ·  By

A group of security researchers have discovered a critical security vulnerability in the Bluetooth wireless communication protocol, which leaves millions of devices vulnerable to attacks.

Daniele Antonioli from the Singapore University of Technology and Design, Nils Ole Tippenhauer from the CISPA Helmholtz Center for Information Security, and Kasper Rasmussen from the Department of Computer Science University of Oxford have published a paper entitled "The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR," where they disclose a new major Bluetooth security flaw.

According to the security researchers, the new Bluetooth vulnerability could leave millions of Bluetooth-powered devices exposed to a new type of attack called KNOB (short from Key Negotiation Of Bluetooth) by allowing attackers to brute force the Bluetooth pairing procedure and spy on the data being shared between your Bluetooth devices, even if they were previously paired.

"The KNOB attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack," reads the official KNOB website.

Update your devices immediately

Being a major vulnerability that affects all Bluetooth enabled devices, the security researchers had to coordinate the public disclosure with the industry so that companies have time to patch the flaw and release security updates to users to install on their Bluetooth-powered devices. The security flaw was disclosed back in November 2018 with the Bluetooth Special Interest Group (Bluetooth SIG) and it's documented as CVE-2019-9506.

While some of the major tech companies like Apple, Intel, and Microsoft have already released patches for this critical Bluetooth vulnerability, the security researches warn that if your device was not updated since late 2018, it is likely vulnerable. Therefore, you are urged to update all of your Bluetooth enabled devices to the latest software version available at the moment of writing.