Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday August 17 2019, @03:49PM   Printer-friendly
from the what-a-knob dept.

[Updated 20190818_014119 UTC. (1) Added expansion of KNOB acronym and link to their site. (2) Note: the linked story has been updated since this story went live and the first 3 paragraphs you see here are no longer present on Bleeping Computer. --martyb]

A new Bluetooth vulnerability named "KNOB"[*] has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices.

In a coordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new vulnerability called "KNOB" has been disclosed that affects Bluetooth BR/EDR devices, otherwise known as Bluetooth Classic, using specification versions 1.0 - 5.1.

This flaw has been assigned CVE ID CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection. In some cases, an attacker could reduce the length of an encryption key to a single octet.

"The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used," stated an advisory on Bluetooth.com. "In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet."

This reduction in key length would make it much easier for an attacker to brute force the encryption key used by the paired devices to communicate with each other.

Once the key was known to the attackers, they could monitor and manipulate the data being sent between the devices. This includes potentially injecting commands, monitoring key strokes, and other types of behavior.

[...] Below is the full list provided by ICASI of members and partners and whether they are affected:

[*] KNOB: Key Negotiation Of Bluetooth attack.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Bot on Sunday August 18 2019, @04:43AM

    by Bot (3902) on Sunday August 18 2019, @04:43AM (#881661) Journal

    >Some BT devices are so promiscuous

    hear, hear!
    beware the blue tooth : gadgets = blue hair : females = avoid

    I know, it's their lifecycle and they can do whatever they want with it, but then the reasons to associate selves with those items become scarce.

    I remember one of those pairings:
    - HEY BABE WHATS YOUR PASSWORD
    - PASSWORD?
    - YES
    - YOU MEANT, PASSCHARACTER?
    - WOW WHAT A SLUT! AND I BET IT'S ASCII 42, THE WILDCARD
    - OF COURSE, LIFE UNIVERSE AND EVERYTHING
    - ATH

    --
    Account abandoned.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2