Let’s talk about Bluetooth: “Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers have discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies.” Steve Prentice explains the Key Negotiation of Bluetooth (KNOB) vulnerability on this week’s Cloud Security Tip.
So what exactly is the KNOB vulnerability? And how do we combat it? Let’s discuss.
What is the KNOB Vulnerability?
Researchers — Daniele Antonioli, SUTD; Nils Ole Tippenhauer, CISPA; Kasper B. Rasmussen, University of Oxford — outlined the KNOB attack in a paper titled "The KNOB is Broken."
The research found that the KNOB attack allowed a third party to bypass encryption by forcing two or more victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages — in real-time. The paper goes on to explain that the attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users.
The KNOB attack does require the targeted device to be within pairing distance of the attacker, however it can also affect those devices that it has already paired with. The researchers concluded that a successful attack would allow someone to eavesdrop or even change the information passed between the target devices.
Remedy the Vulnerability
In a recent security notice, the Bluetooth SIG provided recommendations to reduce the threat of the KNOB attack.
To resolve the vulnerability, the Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections. The Bluetooth SIG will also include testing for this new recommendation within their Bluetooth Qualification Program. Additionally, the Bluetooth SIG strongly recommends that product developers update existing solutions to enforce a minimum encryption key length of 7 octets for BR/EDR connections.
The following product developers have released software updates that patch or mitigate the vulnerability:
- Apple macOS, iOS, and watchOS
- Microsoft Windows
- Google for Android
- Cisco IP phones and Webex
- Blackberry powered by Android phones
Make sure any devices you or your employees use have been updated to protect against this threat.
Wrapping It Up
According to Prentice, “This is not an easy hack, and relies a lot on time and place — and it does not affect all Bluetooth devices. However, when successful, it can steal data and inject ciphertext.”
It is important to remain vigilant, and never use features, such as Bluetooth, all the time. Turn it off when not in use, and avoid using it in public places. Don’t accept pairing requests from unknown parties, and ensure your team members are updating firmware regularly. Most importantly, always conduct research before deploying a new device within your organization — and find out what security measures the manufacturer has added to protect your device.