Latest in Gear

Image credit: adrian825 via Getty Images

Serious Bluetooth flaw leaves devices open to attack

It's 'a serious threat to the security and privacy of all Bluetooth users.'
183 Shares
Share
Tweet
Share
Save

Sponsored Links

adrian825 via Getty Images

A group of researchers has discovered a critical Bluetooth vulnerability that leaves tons of wireless devices exposed to digital intrusions. The Bluetooth SIG, an organization that oversees the technology's standards, has issued a security notice for what the researchers are calling Key Negotiation of Bluetooth or KNOB attack. It gives bad actors the ability to interfere with the Bluetooth pairing procedure, allowing them to make the connection's encryption key shorter than what it's supposed to be. That makes it easy for attackers to brute force their way into the connection and be able to spy on data shared between devices, such as between a phone and a speaker or a phone and another phone.

The fact that attackers can exploit the flaw even for devices that had been previously paired makes it even worse. According to the paper the researchers published, the vulnerability affects devices that use Bluetooth BR/EDR (or Bluetooth Classic) connection. The attack will only work if both devices establishing a connection have the vulnerability. That said, all the Bluetooth chips the researchers tested were vulnerable. KNOB's official website says:

"The KNOB attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack."

Tech giants like Apple and Microsoft have already rolled out patches to fix the flaw, and the Bluetooth Core Specification has been changed to require a minimum encryption key length. For those measures to work against what the researchers say is "a serious threat to the security and privacy of all Bluetooth users," though, people must update their devices when a fix becomes available.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
183 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Three Mile Island's infamous nuclear plant shuts down after 45 years

Three Mile Island's infamous nuclear plant shuts down after 45 years

View
Samsung asks users to be extra careful with the Galaxy Fold

Samsung asks users to be extra careful with the Galaxy Fold

View
Uber sues NYC over vehicle caps

Uber sues NYC over vehicle caps

View
Australia will help NASA go to the Moon and Mars

Australia will help NASA go to the Moon and Mars

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr