Bluetooth SIG, the governing body that oversees the communications technology, has acknowledged a serious new security vulnerability in a warning to users.
The vulnerability, which was first discovered by researchers at the Center for IT Security, Privacy, and Accountability (CISPA), could allow bad actors to funnel and even alter data sent between Bluetooth-connected devices.
Researchers have dubbed the vulnerability KNOB, or Key Negotiation of Bluetooth. That’s because the attack occurs when two devices are connecting to each other (or “negotiating” a connection)
“The KNOB attack is a serious threat to the security and privacy of all Bluetooth users,” the researchers wrote in a paper published Tuesday.
“We were surprised to discover such fundamental issues in a widely used and 20-year-old standard.”
How KNOB Works
- Instead of trying to break Bluetooth encryption, the vulnerability works by forcing two devices to use weaker encryption at the time of connection.
- If an attacker is able to get “in between” two devices during the connection period, they could force both devices to establish an encryption key with a small number of characters — in fact, it could even be as short as a single character. The smaller encryption keys are, obviously, much easier to brute force.
- Luckily, because of the nature of the vulnerability, there’s an extremely narrow window of opportunity to take advantage of it. An attacker could need to be present during the actual Bluetooth connection process between two devices.
Additionally, the vulnerability does not affect devices that rely on the Bluetooth Low Energy standard, such as wearables.
In its security alert, the Bluetooth SIG noted that there’s no evidence that the vulnerability has been used maliciously in the wild. On the other hand, the group admitted that they have no way of fixing the attack on their end.
Device manufacturers can protect their users against the vulnerability by ensuring that Bluetooth connections have a minimum seven-character encryption key.
Many companies, like Apple, have already implemented mitigation fixes in their latest software updates.
All of this is to say that you should update to the latest available version of your operating systems as soon as possible.
This isn’t the only Bluetooth vulnerability to come to light in recent months. Back in June, another flaw that could allow users to be tracked was discovered in the communications standard.