You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- Newly discovered KNOB flaw found infecting Bluetooth-enabled devices

Newly discovered KNOB flaw found infecting Bluetooth-enabled devices
Newly discovered KNOB flaw found infecting Bluetooth-enabled devices- August 14, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_136199795.jpg)
- The flaw has been tracked as CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection.
- Once the attackers manage to get the encryption key, they can monitor or manipulate traffic transferred between two paired devices.
Security researchers have come across a new vulnerability dubbed ‘KNOB’ that affects Bluetooth-enabled devices. The flaw can allow attackers to easily brute force the encryption key which is used for pairing to devices via Bluetooth.
What is the flaw?
In a coordinated disclosure between the Center for IT-Security, Privacy, and Accountability (CISPA), ICASI, it has been found that the flaw affects Bluetooth BR/EDR devices that use version 1.0-5.1. The flaw has been tracked as CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection.
“The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used,” said the disclosure.
Researchers further noted that, “For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection.”
What is the impact?
Once the attackers manage to get the encryption key, they can monitor or manipulate traffic transferred between two paired devices. This includes potentially injecting commands, monitoring keystrokes and other types of behavior.
“In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic,” added the researchers.
Worth noting
Exploiting this vulnerability is not an easy task as there are some limitations such as the following.
- Both devices need to be Bluetooth BR/EDR.
- The attack is possible if the attacker is within the Bluetooth range of the targeted device.
- The attacker can repeat the attack only when the devices are paired, in case of a failure.
How to stay safe?
Bluetooth users should install the latest recommended updates from their respective device and operating system manufacturers. The Bluetooth specification has updated to a minimum encryption key length of 7 octets for BR/EDR connections.
Microsoft has also released a note to address the issue in an update titled "CVE-2019-9506 | Encryption Key Negotiation of Bluetooth Vulnerability."
- + Aware
Get such articles in your inbox
News
-
Previous News Misconfigured MongoDB database leaks 700,000 Choice Hotels customer records
- August 14, 2019
- |
- Breaches and Incidents
-
Next News Chinese App Sweet Chat Exposes 10M Users’ Chats and Private Photos
- August 13, 2019
- |
- Breaches and Incidents
Popular News
Related News
-
Scientists Break Largest Encryption Key Yet with Brute Force
- December 10, 2019
- |
- New Cyber Technologies
-
Researchers unveil quantum cryptographic method
- November 26, 2019
- |
- New Cyber Technologies
Categories
Get such articles in your inbox
News
-
Previous News Misconfigured MongoDB database leaks 700,000 Choice Hotels customer records
- August 14, 2019
- |
- Breaches and Incidents
-
Next News Chinese App Sweet Chat Exposes 10M Users’ Chats and Private Photos
- August 13, 2019
- |
- Breaches and Incidents
Popular News
Related News
-
Scientists Break Largest Encryption Key Yet with Brute Force
- December 10, 2019
- |
- New Cyber Technologies
-
Researchers unveil quantum cryptographic method
- November 26, 2019
- |
- New Cyber Technologies
Categories
