The heart of tech

This article was published on August 16, 2019


Critical KNOB exploit penetrates gaping Bluetooth vulnerability

And all the British people in the room start laughing.

Critical KNOB exploit penetrates gaping Bluetooth vulnerability
Matthew Hughes
Story by

Matthew Hughes

Former TNW Reporter

Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twi Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twitter.

Researchers have discovered a vulnerability in Bluetooth’s authentication protocols which, if properly executed, could allow an attacker to conduct a man-in-the-middle attack between two paired devices. This could see an adversary intercept and alter files while they’re in transit, as well as potentially listening in on conversations conducted via Bluetooth.

Researchers from Oxford University, the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security discovered the attack, which has since been dubbed KNOB, which is short for “Key Negotiation of Bluetooth.”

(You, in the back. Stop laughing. This is serious.)

The thrust of the KNOB attack sees an adversary trick the devices participating in a Bluetooth handshake to use a degraded encryption key with just one byte of entropy. This opens the door to a brute force attack, where the adversary can “guess” the encryption key by cycling through all the possible options.

Once that’s done, the attacker has free reign, allowing them to inject their own files into the transfer, or even spy on data being transferred within devices.

The KNOB attack is especially pernicious because it doesn’t violate the Bluetooth DR/EDR specification, which explicitly permits keys with just one byte of entropy. It’s also been proven to work on Bluetooth radios from all the major manufacturers, including Broadcom, Apple, and Intel.

And, as the researchers point out in the technical paper describing the vulnerability, victims of a hacker’s KNOB don’t even realize they’ve been compromised. That’s because the attack focuses on the key exchange process, rather than compromising the individual devices themselves.

Fortunately, there’s some good news. Firstly, the Bluetooth SIG has updated the specification to recommend device manufacturers use a minimum of seven bytes of entropy. Vendors have also been aware of the KNOB attack since late 2018, and many are issuing patches to users in order to protect users against it.

Furthermore, it’s apparently really tricky to exploit, meaning that this attack is unlikely to be used in a widespread attack.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection,” the Bluetooth SIG writes.

“If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window,” it adds.

That’s a relief. Still, one hopes that any slippery hackers caught exploiting this flaw experience the long, hard, throbbing arm of the law.

Alright, I’m done now.

KNOB, HAHAHAHA.