A Bluetooth vulnerability has been uncovered that could make it simpler for a hacker to intrude on devices, the standards organisation has said.
The flaw could allow interference from the moment an encrypted connection is set up between two devices.
A joint paper by researchers at Oxford University, Singapore University of Technology and Design and the Helmholtz Centre for Information Security (CISPA) called the issue “a serious threat to the security and privacy of all Bluetooth users”.
Named the Key Negotiation of Bluetooth attack, the weakness fools the pair into creating a relatively shorter encryption key, making it easier for hackers to crack.
To do this, perpetrators need to perform a brute-force attack, where many passwords are submitted by a system at speed with the hope of eventually narrowing it down to the correct one.
However, the person would need to be in close range of the devices it is trying to intercept and would have to figure out the password in ample time, as most Bluetooth transfers do not take long to complete.
A new #Bluetooth vulnerability named "KNOB" has been disclosed by @CISPA-Faculty Nils Tippenhauer, Daniele Antonioli (Singapore University of Technology and Design) and Kasper Rasmussen (University of Oxford). https://t.co/Tn04RfiCtt
— CISPA (@CISPA) August 14, 2019
The process would also have to be repeated each time, and is only thought to affect certain types of Bluetooth.
In response, standards group Bluetooth Special Interest Group (SIG) has updated its specification to recommend a minimum encryption key length.
“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” the organisation said.
