A disturbing new Bluetooth vulnerability has been discovered by researchers. It could see our wireless devices leaving us vulnerable to cyber-attack. The problem relates to Bluetooth’s authentication protocols and could see a potential attacker taking up a position between two Bluetooth devices and eavesdropping on all information shared across the connection.
The vulnerability, which is known as KNOB (Key Negotiation of Bluetooth) is so serious that the Bluetooth SIG Group has been forced to public a security warning detailing the new bug.
New Bluetooth bug can target Bluetooth devices from versions 1.0 to 5.1
A team of researchers from Oxford University, the Singapore University of Technology and Design, and CISPA Helmholtz Center for Information Security is responsible for the discovery. Known as a KNOB attack, the vulnerability degrades the level of security that Bluetooth connections have to such a level that a Brute Force attack, where a hacker simply cycles through all possible encryption passwords until they stumble upon the correct one, becomes possible.
Beats, Bose, or Sony: who has the best headphones?
Read now ►Once the attacker comes to the correct encryption key, they then have ultimate access to all data being shared across the connection and could even add their own data to the connection. To give an example of what this could mean, I’m writing this report out on a keyboard and thinking about the last time I used my online banking!
The other scary thing to note about a KNOB attack is that victims don’t even know they’ve been compromised. It isn’t the easiest exploit, however, which means there is hope. The post explaining the vulnerability says, “For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection. If one of the devices did not have the vulnerability, then the attack would not be successful.”
Fortunately, there are Bluetooth devices out there that aren’t vulnerable to this attack and the attack will only work if the attacker is in close proximity to two vulnerable devices at the same time. This means that the level of effort required to pull this off means it is likely to be businesses that will be targeted rather than individuals. Don’t worry, nobody is going to be hacking into your headphones and telling everybody that you listen Justin Bieber, and not Led Zeppelin like you’ve been telling everybody.
The other good news is that the Bluetooth SIG Group that describes itself as, “a global community of over 34,000 companies serving to unify, harmonize and drive innovation in the vast range of connected devices all around us” has already upgraded the minimum security specification that goes out to Bluetooth manufacturers to seven bytes. This means that even if the KNOB attack can degrade the security credentials of a Bluetooth connection, it won’t be able to do so to the extent that a brute force attack will be possible.
AAAANNNNDDDD Breath. Phew, it took a lot to get through all of that without making a single knob joke. Best knob jokes in the comments please.
