Stories
Slash Boxes
Comments

SoylentNews is people

New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic

posted by Fnord666 on Saturday August 17 2019, @03:49PM   Printer-friendly
from the what-a-knob dept.

[Updated 20190818_014119 UTC. (1) Added expansion of KNOB acronym and link to their site. (2) Note: the linked story has been updated since this story went live and the first 3 paragraphs you see here are no longer present on Bleeping Computer. --martyb]

Arthur T Knackerbracket has found the following story:

A new Bluetooth vulnerability named "KNOB"[*] has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices.

In a coordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new vulnerability called "KNOB" has been disclosed that affects Bluetooth BR/EDR devices, otherwise known as Bluetooth Classic, using specification versions 1.0 - 5.1.

This flaw has been assigned CVE ID CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection. In some cases, an attacker could reduce the length of an encryption key to a single octet.

"The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used," stated an advisory on Bluetooth.com. "In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet."

This reduction in key length would make it much easier for an attacker to brute force the encryption key used by the paired devices to communicate with each other.

Once the key was known to the attackers, they could monitor and manipulate the data being sent between the devices. This includes potentially injecting commands, monitoring key strokes, and other types of behavior.

[...] Below is the full list provided by ICASI of members and partners and whether they are affected:

[*] KNOB: Key Negotiation Of Bluetooth attack.

Original Submission

 
This discussion has been archived. No new comments can be posted.
New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Sunday August 18 2019, @08:55AM

    by Anonymous Coward on Sunday August 18 2019, @08:55AM (#881689)

    Wifi isn't great either but almost seems so in comparison. Couldn't the two technologies merge vis-a-vis the security part?