8.1 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:P/A:N
Those who are familiar with Bluetooth BR/EDR technology (aka Bluetooth Classic, from 1.0 to 5.1) can attest that it is not perfect. Like any other piece of hardware or software technology already on market, its usefulness comes with flaws.
Early last week, academics at Singapore University of Technology, the CISPA Helmholtz Center for Information Security, and University of Oxford released their research paper [PDF] on a type of brute-force attack called Key Negotiation of Bluetooth, or KNOB. KNOB targets and exploits a weakness in the firmware of a deviceās Bluetooth chip that allows hackers to perform a Man-in-the-Middle (MiTM) attack via packet injection and disclose or leak potentially sensitive data.
The Bluetooth vulnerability that KNOB targets is identified as CVE-2019-9506. According to the paper, Bluetooth chips manufactured by Intel, Broadcom, Apple, and Qualcomm are vulnerable to KNOB attacks.
The researchers have identified two circumstances of Bluetooth programming that allow KNOB attacks to be successful.
Firstly, Bluetooth inherently allows the use of keys that have a minimum length of 1 byte, which may hold 1 character. Think of this as a one-character password. Such a password would have a low entropyāmeaning it would be easily predictable or guessed. Although keys with low entropy can still keep a Bluetooth-paired connection secure, hackers can easily circumvent them with a brute-force attack.
Researchers said that the 1-byte lower limit was put in place to follow international encryption regulations.
And, secondly, Bluetooth inherently does not check changes in entropy, which occurs when two devices start to ānegotiateā the key length they will be using to encrypt their connection. Worse, this pre-pairing phase isnāt encrypted. The device receiving the pairing request will have no choice but to accept the low-entropy key.
Essentially, this leaves users expecting that they can safely exchange potentially sensitive data with a trusted paired device over what they thought was a secure connectionābut it is not. And there is no way for them to know this.
The researchers implemented their attack via an illustration of people named Alice, Bob, and Charlie, with the first two as potential targets and the last as the attacker.
Unfortunately, Alice and Bob would have no idea that they are relying on a poorly-encrypted Bluetooth connection that Charlie can easily infiltrate while they exchange data.
While these may sound simple enough, itās highly unlikely that weāll see someone performing this kind of attackārandom or targetedāin watering holes like coffee shops and airports. Implementing a successful KNOB attack in the wild and over-the-air needs some expensive devices, such as a Bluetooth protocol analyzer and a finely-tuned brute force script. It is also exceedingly difficult to implement an over-the-air attack, which is why the researchers admitted to opting for a simpler, cheaper, and more reliable means of testing the effectiveness of a KNOB attack in their simulations.
Researchers surmised that, as KNOB attacks Bluetooth at the architectural level, its vulnerability āendangers potentially all standard compliant Bluetooth devices, regardless [of] their Bluetooth version number and implementation details.ā
Fortunately, the team already disclosed the vulnerability to the Bluetooth Special Interest Group (SIG)āthe organization responsible for maintaining the technology and overseeing its standardsāthe International Consortium for Advanced Cybersecurity on the Internet, and the CERT Coordination Centre in Q4 2018.
In a security notice, SIG announced that it has remedied the vulnerability by updating the Bluetooth Core Specification to recommend the use of encryption keys with a minimum of 7 bytes of entropy for BR/EDR connections.
To know if your Bluetooth devices are vulnerable to the KNOB attack, recall if you have updated them since late 2018. If you havenāt, chances are that your devices are vulnerable. The researchers were positive that updates after that date fixed the vulnerability.
If youāre still unsure, Carnegie Mellon University put together information on systems that KNOB can affect.
Patching all your Bluetooth devices is the logical next step, especially if youāre unsure if you have since late last year.
Here is a concise list of security update notices from product vendors of Bluetooth-enabled devices you might want to check out:
When it comes to sharing potentially sensitive data with someone else, Bluetooth isnāt the best technology that truly guarantees a safe and secure exchange. So as a final note, youāre better off using other more secure methods of sharing data.
As for your Bluetooth headphones, should you be worried? Maybe not so much. But you might want to think about your IoT devices, mobile phones, and smart jewelry.
Stay informed and stay safe!
The post Bluetooth vulnerability can be exploited in Key Negotiation of Bluetooth (KNOB) attacks appeared first on Malwarebytes Labs.
8.1 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:P/A:N