Critical Bluetooth Flaw Leaves Millions Open to Attack
Editor's Note: We've updated this article with information on updates released by Apple and Microsoft that protect devices from the KNOB vulnerability. You can find a full list of affected companies with links to patches here.
Be sure to update your Bluetooth devices before connecting them to a laptop or smartphone.
Security researchers recently discovered a Bluetooth vulnerability that's so serious they consider a "threat to the security and privacy of all" users.
The Center for IT-Security, Privacy and Accountability (CISPA) in coordination with the ICASI and its members, such as Microsoft, Apple and Amazon, released a report on a devastating Bluetooth flaw called KNOB (Key Negotiation of Bluetooth) that gives bad actors the ability to monitor and manipulate traffic between two devices. The attack affects Bluetooth BR/EDR (Bluetooth Classic), or an older version of Bluetooth that establishes a short-range wireless connection between devices (typically speakers and headphones).
The vulnerability stems from the process of setting up an encrypted connection between two Bluetooth devices. An attacking device can interfere with this process, shorten the encryption key down to one byte, then easily brute force crack the code to gain a connection. From there, the attacker could decrypt all of the traffic flowing between the two devices.
According to a security notice posted by Bluetooth SIG, the organization that develops Bluetooth standards, even devices that require a minimum key length aren't able to perform the steps to verify that the encryption key meets those requirements. To make matters worse, researchers say that the attack is hard to detect because the encryption negotiation remains transparent to the user and because the shortened encryption key is still complaint under all versions of Bluetooth.
Fortunately, many tech manufacturers have already released patches for the vulnerability. Apple pushed a security update on July 22 to iPhones, iPads and iPods that protects against the attack with improved input validation. Microsoft did its part, releasing an update to Windows devices that sets a default 7-octet minimum encryption key length. That improved security measure is disabled by default. You can follow these instructions to enable the feature using Registry Editor on your Windows machine.
The ICASI published a helpful list of companies that are and aren't affected and included links to patches for those that are.
Researchers tested the attack using Nexus 5 and Motorola G3 smartphones. The Nexus 5 was used as the man-in-the-middle attacker that added code to the Bluetooth firmware. They then used a Lenovo ThinkPad X1 Carbon laptop to brute force the encryption code and decrypt the intercepted messages. The attack was successfully performed on a wide range of Bluetooth chips from manufacturers Broadcom, Qualcomm, Apple, and Chicony.
"The KNOB attack is a serious threat to the security and privacy of all Bluetooth users," CISPA wrote in their report. "We were surprised to discover such fundamental issues in a widely used and 20 years old standard."
Before you throw away your new wireless headphones, it's worth noting that Bluetooth devices are only vulnerable under certain conditions. Because this is an attack on Bluetooth, the aggressor would need to be in range of both devices to establish a connection. If one of the devices wasn't vulnerable, then the attack would fail. Also, as Bluetooth SIG notes, "The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window."
There are no known cases of the exploit being used to intercept traffic between two devices.
CISPA blames the vulnerability on "ambiguous phrasing" in the Bluetooth standard and urges Bluetooth SIG to update the specification immediately, "Until the specification is not fixed, we do not recommend to trust any link-layer encrypted Bluetooth BR/EDR link," CISPA writes.
So far, Bluetooth SIG responded by updating the Bluetooth Core Specification to recommend a minimum encryption length of octets, up from one, for BR/EDR connections. The organization is also urging tech companies to update existing products to enforce the new recommended standards.
What can you do to protect yourself from this attack? As always, keep your devices up-to-date by installing the latest system updates.