Bluetooth issued a Bluetooth Security Notice citing a critical vulnerability plaguing their system. The flaw reportedly allows attacking devices and hackers to gain access to the encryption key and key information.
Researchers from the Center for IT-Security, Privacy, and Accountability (CISPA) found the threat. The team at CISPA immediately notified the company about the vulnerability, as well as other industry vendors. These include Amazon, Apple, Cisco, Intel, and Microsoft, states Forbes.
About the Flaw
According to Forbes, the vulnerability is known as the “Key Negotiation of Bluetooth,” otherwise referred to as “KNOB.” KNOB affects devices powered by Bluetooth Classic, such as versions 1.0 through 5.1.
Devices with Bluetooth BR/EDR will remain vulnerable to attacks, notes Mashable. Meanwhile, devices with Bluetooth Low Energy (BLE) will remain safe from actors, including devices such as AirPods.
The flaw leaves smartphones at risk for a potential attack, reveals Tech Radar. In particular, the vulnerability allows actors and potential hackers to interfere with the initial process of pairing end devices. In return, the error intercepts the data in the pairing process, which shortens the encryption key compared to the original.
As the encryption key gets intercepted and shortened, hackers and potential attackers can easily force themselves within the connection. This results in data interception and spying incidents between two devices, notes Engadget.
Besides these areas of concern, Tech Radar also states that attackers could observe keyboard strokes entered by the user. Mashable states that for attackers to gain access to data, these malicious persons must be in the vicinity.
Attackers who successfully break down the security barrier remain undetected under KNOB attack, states the researchers in their published study.
Despite extensive investigations, the series of investigations conducted by researchers failed to discover attackers behind the exploit. In the USENIX Security Symposium conducted last August 14 to 16, the researchers voiced concerns over the issue. Head investigators said they “were surprised to discover such fundamental issues in a widely used and 20 years old standard.”
Fixing the Issue
In attempts to address the issue, Mashable reports that Apple and Microsoft rolled out security patches in late July. Other manufacturers and vendors also helped address the security flaw, including Blackberry, Cisco, and Google. Despite providing a fix for the public, individuals using Bluetooth programs are still required to install the patches manually.
Should the public and the manufacturers fail to address the flaw, millions of devices would become affected.