New Bluetooth Vulnerability Allows Attackers to Intercept Traffic

A KNOB (key negotiation of Bluetooth) attack against the basic rate/enhanced data rate (BR/EDR, or Bluetooth Classic) configuration can result in information disclosure and/or escalation of privileges.


The vulnerability was discovered by researchers at the Center for IT-Security, Privacy and Accountability (CISPA), and reported to Bluetooth. Bluetooth published an advisory and Microsoft patched its own Bluetooth in the August 2019 updates. But patching Windows does not mean the Bluetooth issue is solved.


In its own Vulnerability Note VU#918987, CERT/CC has explained the vulnerability and designated it as CVE-2019-9506 with a CVSS score of 9.3. The vulnerability is based on the process by which communicating Bluetooth devices decide on and establish an encryption key length. This can be anything between one and 16 bytes of entropy. One byte provides an encryption key so small that it can be brute forced by an attacker.


Microsoft patched Windows Bluetooth with "a software update that enforces a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption." However, this is not set by default and must be enabled by the user setting a flag in the registry. Unless this flag is set, Windows Bluetooth will remain susceptible to the vulnerability.


The main problem is that an attacker can force a minimal key length. It is not a simple attack and it is thought that it has never been maliciously exploited. BR/EDR Bluetooth is the standard configuration for short range communication. This means that the attacker must be adjacent to the communicating devices with kit ..