Critical Bluetooth flaw opens millions of devices to eavesdropping attacks - Help Net Security

Critical Bluetooth flaw opens millions of devices to eavesdropping attacks - Help Net Security

A newly disclosed vulnerability (CVE-2019-9506) in the Bluetooth Core Specification can be exploited by attackers to intercept and manipulate Bluetooth communications/traffic between two vulnerable devices.



Researchers Daniele Antonioli, Nils Ole Tippenhauer and Kasper Rasmussen discovered the flaw and demonstrated a practical Key Negotiation Of Bluetooth (KNOB) attack taking advantage of it.


They also shared their discovery with the Bluetooth Special Interest Group (Bluetooth SIG), the CERT Coordination Center, and members of the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), which include Intel, Microsoft, Cisco, Juniper and IBM. Most of these have already implemented the fixes required to prevent exploitation of the flaw.


The KNOB attack and its limitations


CVE-2019-9506 affects the Bluetooth BR/EDR (Basic Rate/Enhanced Data Rate) key negotiation procedure/protocol.


“The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time),” the researchers explained in a recently released paper and to the audience of the 28th USENIX Security Symposium.


“The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. The attack targets the firmware of the Bluetooth chip because the firmware (Bluetooth controller) implements all the security features of Bluetooth BR/EDR. As a standard-compliant attack, it is expected to be effective on any firmware that follows the sp ..