Security researchers have identified a security vulnerability related to encryption on Bluetooth BR/EDR connections. As a result, an unauthenticated attacker near the vulnerable device could exploit the issue and escalate privileges or steal information.
The vulnerability CVE-2019-9506 impacts the Bluetooth BR/EDR (Basic Rate/Enhanced Data Rate) key negotiation procedure/protocol.
The security researchers have dubbed the attack “KNOB” for Key Negotiation of Bluetooth and confirmed an unauthenticated adjacent attacker can completely break Bluetooth BR/EDR security. To add, the attack is stealthy since the encryption key negotiation is transparent to the Bluetooth users.
The researchers Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen presented their findings on the attack in a paper and the 28th USENIX Security Symposium.
“The attack allows a third party, without knowledge of any secret material (such as link and
encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy,” the researchers wrote.
“Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time).”
The research was also shared with the Bluetooth Special Interest Group (Bluetooth SIG) and the CERT Coordination Center. In addition, they also notified a cybersecurity consortium of different technology giants to include IBM, Microsoft, Cisco, Intel and Juniper.
To address the vulnerability, Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections. They also strongly recommended product developers update their products to enforce the same.
Furthermore, Bluetooth SIG has broadly communicated the vulnerability details and remediation to its member companies. Impacted organizations are highly encouraged to rapidly integrate any necessary patches as soon as possible.