A collection of security researchers has come across a flaw in Bluetooth devices that can allow for brute-force attempts on the encryption key that is used to pair Bluetooth enabled equipment. It has been named KNOB (CVE-2019-9506) and it can affect Bluetooth BR/EDR or Bluetooth Classic devices running version 1.0-5.1. CVE-2019-9506 essentially shortens the distance of connectivity for the encryption key. Researchers stated, “For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection.” If the encryption key falls into the hands of an attacker, traffic between the two devices can be observed and exploited. Activity that would fall under this would be injecting keystrokes, monitoring keystrokes and other malicious tasks. However, this is not an easy undertaking as attackers must be within the range of the targeted devices, both devices must be BR/EDR, and the attack has to be repeated every time the devices are paired. Thankfully, at this time, no known attacks using this method or any devices that could carry out this attack have been seen.
Analyst Notes
Users should install updates when prompted by their device or the operating system manufacturer. Specifications for Bluetooth have also been updated to only allow for a minimum seven octet key length for BR/EDR connections.
