The KNOB attack: Security experts ring the alarm “ Turn off your Bluetooth, else let the attackers take control of the traffic”
While taking a phone call with Bluetooth wireless headphones on or typing notes using a Bluetooth keyboard or even checking emails on the Smartwatch have you ever thought that your information is accessible to hackers?
Research in recent times identifies a fundamental flaw in the Bluetooth standard, affecting every device having Bluetooth capabilities covering a huge range of laptops, tablets, smart IoT devices, smartphones and industrial devices which allows attackers to spy on the data as well as intercept the link established between any Bluetooth devices. The vulnerability in the Bluetooth protocols may provide an attacker with the scope of intercepting and decrypting the so-called “secure communication”.
This sort of attack allows the attacker to make two or multiple victims agree on an encryption key with only 1 byte, even without possessing any secret links or encryption keys. Owing to low entropy levels, the third party can easily brute force the negotiated encryption keys and decrypt the ciphertext and even change the content. However, the potential harm is considerably low in the case of music or audio over Bluetooth. This type of attack is termed as Key Negotiation of Bluetooth(KNOB) attack.
Bluetooth Classic is a wireless technology standard that has been designed to cater to relatively a short-range, continuous wireless connection such as streaming audio to headsets or portable speakers. It is also popularly termed as Bluetooth BR/EDR (Basic Rate/Enhanced Data Rate) with its core specification supporting encryption keys with entropy between 1 and 16 bytes/octets, where the higher value indicates enhanced security.
The loophole lies in the entropy negotiation, where devices performing over the Link Manager Protocol (LMP) is neither encrypted nor authenticated and can be hijacked or altered the over-the-air interface.
However, for an attack to be successful requires both Bluetooth devices to establish a BR/EDR a connection which means 10 meters for most Bluetooth devices but theoretically, up to 400 meters when both devices support Bluetooth 5 and both should be vulnerable to this flaw. Moreover, the attacker while pairing the devices should be able to block direct transmissions between devices and the attack must be performed during negotiation or renegotiation of a paired device connection as existing sessions are beyond the scope of any attack. The entire attack has to be carried out within a short time frame and the hacker has to repeat this attack every time the devices are paired. The encryption key has to be short and then brute-forced to get the decryption key.
The Bluetooth SIG recommends the product developers to update existing solutions and have a minimum encryption key length of 7 octets for BR/EDR connections. The major platform vendors across the globe like Microsoft, Cisco, Blackberry, Apple, Google have started to release security updates in their OS to mitigate the KNOB attack. However, A10 Networks, Juniper, Intel Corporation, Oracle and Vmware are still not affected.
In the latest developments, Apple has mitigated KNOB attack in macOS 10.14.6 Mojave, Security Update 2019-004 for Sierra and High Sierra, iOS 12.4, watchOS 5.3, and tvOS 12.4. Google has patched the KNOB update in the August 2019 security release and Microsoft has also issued fixes for the issue. Cisco has further released updates for Webex and some Cisco IP phones.
Now as the range of the distance needed for this attack is less, the home environment provides a relatively safer environment, while in public places like airports, railway stations, shopping malls, restaurants it is better to turn off your Bluetooth devices. Another serious issue nowadays is monitoring of your shopping patterns by retailers by placing Bluetooth beacons in-store.
From a commoner’s point of view things you need to remember for safety purpose are:
- Always set your PIN using a minimum of eight characters
- When the Bluetooth is not in discoverable mode, turn off your device
- Do not accept any unknown pairing request
- Do pairing in a safe environment like home
- Do regularly download and install regular updates