The Bluetooth vulnerability, called KNOB, facilitates the selection of the encryption key used when connecting devices, and allows to manipulate the data transmitted between the two devices.[dropcap]T[/dropcap]he problem affects Bluetooth BR / EDR (Bluetooth Classic) enabled devices with specification versions 1.0 – 5.1.
Researcher from the Center for IT-Security, Privacy and Accountability (CISPA) discovered the vulnerability.
Vulnerability (CVE-2019-9506) allows an attacker to reduce the length of the encryption key used to establish the connection. In some cases, the key length can be reduced to one octet.
Thanks to this, it will be much easier for an attacker to carry out a brute force attack and pick up the encryption key used by the devices when connecting to each other.
“In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor traffic”, — reported CISPA specialists.
Having obtained the key, the attacker can manipulate the data transmitted between devices, including injecting commands, monitoring keystrokes, etc.
Exploiting a vulnerability is not so easy, and certain conditions are required to carry out an attack.
Firstly, both devices must support Bluetooth BR / EDR. Secondly, while connecting devices to each other, the attacker should be nearby. Thirdly, the attacking device needs to be able to intercept, manipulate and retransmit messages about the coordination of the key length between the two devices and at the same time block transfers from both.
In addition, to obtain an encryption key, it is not enough to shorten its length; you still need successfully crack it. The attack needs to be repeated every time devices are connected again.
“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability”, — reported in Bluetooth SIG.
To remedy the vulnerability, the Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections.[box]In addition, the Bluetooth SIG strongly recommends that product developers update existing solutions to enforce a minimum encryption key length of 7 octets for BR/EDR connections.[/box]