[Updated 20190818_014119 UTC. (1) Added expansion of KNOB acronym and link to their site. (2) Note: the linked story has been updated since this story went live and the first 3 paragraphs you see here are no longer present on Bleeping Computer. --martyb]
A new Bluetooth vulnerability named "KNOB"[*] has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices.
In a coordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new vulnerability called "KNOB" has been disclosed that affects Bluetooth BR/EDR devices, otherwise known as Bluetooth Classic, using specification versions 1.0 - 5.1.
This flaw has been assigned CVE ID CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection. In some cases, an attacker could reduce the length of an encryption key to a single octet.
"The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used," stated an advisory on Bluetooth.com. "In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet."
This reduction in key length would make it much easier for an attacker to brute force the encryption key used by the paired devices to communicate with each other.
Once the key was known to the attackers, they could monitor and manipulate the data being sent between the devices. This includes potentially injecting commands, monitoring key strokes, and other types of behavior.
[...] Below is the full list provided by ICASI of members and partners and whether they are affected:
[*] KNOB: Key Negotiation Of Bluetooth attack.
(Score: 0) by Anonymous Coward on Saturday August 17 2019, @04:31PM (1 child)
Some BT devices are so promiscuous, willing to connect to anything which offers them pairing of just pure 0 and nothing else. I have an old pocket GPS receiver device TouchTraxx with such ability. And I understand any text mode terminal-like device could behave just like that.
(Score: 2) by Bot on Sunday August 18 2019, @04:43AM
>Some BT devices are so promiscuous
hear, hear!
beware the blue tooth : gadgets = blue hair : females = avoid
I know, it's their lifecycle and they can do whatever they want with it, but then the reasons to associate selves with those items become scarce.
I remember one of those pairings:
- HEY BABE WHATS YOUR PASSWORD
- PASSWORD?
- YES
- YOU MEANT, PASSCHARACTER?
- WOW WHAT A SLUT! AND I BET IT'S ASCII 42, THE WILDCARD
- OF COURSE, LIFE UNIVERSE AND EVERYTHING
- ATH
Account abandoned.
(Score: 3, Interesting) by Appalbarry on Saturday August 17 2019, @04:37PM (4 children)
Since most Bluetooth devices seem to only pair 50% of the time, and often only after the application of brute force, I don't see this as significant threat.
Surely one of the most flaky technologies ever developed.
(Score: 0) by Anonymous Coward on Saturday August 17 2019, @07:27PM (3 children)
Then you seriously do not understand security. The hole is that someone else can read your traffic. So if you have a bluetooth keyboard, it's basically fucked and you may as well be typing your passwords in the clear.
(Score: 0) by Anonymous Coward on Saturday August 17 2019, @10:47PM (2 children)
Not just in the clear, but broadcasting them. You might as well yell your passwords out the window.
(Score: 2) by edIII on Sunday August 18 2019, @04:37AM
I can see somebody creating a security testing device that automates this, captures pairings, records transmissions, etc. Pick it up a few weeks later.
Bluetooth is a serious threat vector at this point with the exploits out there.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Bot on Sunday August 18 2019, @04:47AM
>shouting passwords out the window
"ImMadAsHellAndICantTakeItAnymore"
Account abandoned.
(Score: 0) by Anonymous Coward on Sunday August 18 2019, @08:55AM
Wifi isn't great either but almost seems so in comparison. Couldn't the two technologies merge vis-a-vis the security part?