Serious Bluetooth Security Vulnerability Could Leave Millions Of Devices Open To Attacks
The findings were presented at the USENIX Security Symposium by researchers from the Center for IT-Security, Privacy and Accountability (CISPA). The vulnerability has been nicknamed “Key Negotiation Of Bluetooth” or “KNOB”. Every time two Bluetooth devices establish a connection, they also create a new encryption key. Unfortunately, not every device has a minimum key length requirement. Hackers could potentially trick two Bluetooth devices into establishing a connection with a weak and short encryption key. The hackers would then be able to brute force attack one of the devices and gain access to a user’s communications within a short amount of time.
Thankfully, this particular vulnerability is not easy to exploit. First, the vulnerability was only found in Bluetooth, not Bluetooth Low Energy (BLE), devices. Most wearable devices are BLE. Second, the attacker would need to within a reasonable physical distance of the targets and would need to attack the devices as they were connecting. Third, the attackers would not be able to hack into already connected devices. They would also need to attack the devices again once the connection had been interrupted. Last, both devices would need to be vulnerable to the attack.
Many of the affected companies, such as Apple and Microsoft, have since released patches. Blackberry, Lenovo, and Intel have issued security advisories, while Cisco has promised that a fix is forthcoming. Fortunately, the vulnerability has not been exploited by hackers.
Microsoft and Intel also recently released patches for other major security issues. One vulnerability in Intel’s device firmware could have led to an escalation of privileges or denial of service attack in their NUC mini PC's. Another vulnerability was discovered by security researchers at Bitdefender. This one would have also allowed attackers to bypass fixes that had been rolled out on devices with Intel processors. They worked with Intel and Microsoft for over a year to create a fix. If you use a Windows device, you should run the latest security update. This update will include fixes for both the Intel processor and Bluetooth vulnerabilities.