International researchers have discovered a serious bug in a wide range of Bluetooth enabled devices such as smartphones, tablets and laptops that allows hackers to intercept the connection between almost any two devices.
Once connected, hackers are then able to change the contents of file transfers and listen in on calls made via Bluetooth. Hackers could even take control of wireless devices such as keyboards and type in their own commands.
The attack, which has been dubbed KNOB (‘Key Negotiation of Bluetooth) was discovered by Kasper Rasmussen from Oxford University, Daniele Antonioli from the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security’s Nils Ole Tippenhauer.
In their paper, The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR, they wrote that “The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy.
“Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time).”
The attack is practically impossible to detect without the use of highly specialised equipment and has been found to affect a multitude of devices, from Lenovo laptops to the latest Apple devices. The researchers tested the attack on 14 Bluetooth chips from 24 different devices from big brand names such as Broadcom, Apple, Intel and Qualcomm and all were found to be vulnerable.
- Funding Support Enables Digital Image Archiving Specialists to Join Forces
- European Central Bank Hacked
- A Facial Recognition ‘Epidemic’ is Sweeping the UK
Rasmussen who described KNOB as a “very serious attack” said “Bluetooth promises a secure connection, but it’s not just a little broken, it’s completely absent. It essentially means that the security aspect of Bluetooth is completely broken, so if you want any meaningful security you would have to provide that yourself. But lots of applications rely on Bluetooth being secure.”
Worryingly, the flaw does not break the agreed Bluetooth industry standards, as one byte is the minimum level of entropy permitted by all BR/EDR standards, which also do not require that key negotiation protocols are secured. Therefore, any firmware of any standard-compliant Bluetooth chip is vulnerable.
The flaw was disclosed in November 2018 to the Bluetooth industry via the Bluetooth Special Interest Group (SIG), the CERT Coordination Centre and the International Consortium for Advancement of Cybersecurity on the internet. Apple, Microsoft, Intel, Qualcomm are among many companies to have released a software update to fix the flaw, however, those who have not updated their devices recently remain vulnerable to this very critical flaw.
Since the vulnerability was disclosed, Bluetooth SIG has updated the core Bluetooth specification to recommend a minimum of 7 bytes of entropy for encryption keys. SIG has said that the likelihood of hackers exploiting the vulnerability is slim, but is still urging all vendors to patch their products appropriately.
“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection,” an advisory note from the Bluetooth SIG read.
“If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window.”
“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability.”
However, the researchers say that KNOB is an “effective, stealthy and cheap”, and easily conducted using readily available technology and affecting “potentially all standard-compliant Bluetooth devices, regardless of their version number.”
The researchers’ paper concluded saying the flaw is “a serious threat to the security and privacy of all Bluetooth users… we were surprised to discover such fundamental issues in a widely used and 20-years-old standard.”