A recent report by researchers at the Helmholz Center for Information Security (CISPA), Singapore University of Technology and Design, and the University of Oxford has revealed that Bluetooth technology is vulnerable to a new type of hacking which allows for an attacker to carry out data theft on a Bluetooth-enabled device without the user’s knowledge or permission so long as the cyber-criminal is within Bluetooth range of the targeted device.
Bluetooth technology allows your mobile phone to communicate with other Bluetooth-enabled devices, such as your wireless headphones, portable speakers, smart watches, or even your car. Bluetooth technology works by using radio waves instead of wires or cables to connect or pair multiple Bluetooth-enabled devices. The most common type of Bluetooth technology used by most consumer-level digital devices has a range of about 10 meters, or 33 feet. There are now literally billions of Bluetooth enabled devices in the world. However, Bluetooth technology traditionally has long been considered relatively unsafe from a data security perspective.
The research report outlines a new Bluetooth security vulnerability, known as a “Key Negotiation of Bluetooth” or “KNOB” attack. According to the report, a KNOB attack allows a hacker to funnel data streaming between Bluetooth-connected devices – whether it be the music you are listening to on your wireless headphones, or the words you type on a Bluetooth-enabled keyboard. Perhaps more disturbingly, a KNOB attacker can “pair” with a user’s device without the user’s knowledge or permission, if within range of the targeted device.
A KNOB attack works by conducting what is known as an “entropy attack” against the targeted Bluetooth device, making the device extremely vulnerable to a brute force attack. The report indicates that devices manufactured by companies such as Intel, Broadcom, Apple, Cisco, Microsoft and Qualcomm may be particularly susceptible to a KNOB attack.
There are a number of straightforward ways to defend Bluetooth-enabled devices from a KNOB attack. First, the user can simply turn off the Bluetooth functionality on a device. Second, a user should regularly check any Bluetooth-enabled devices to view what other devices they are paired with. If a device is paired with another device that one does not recognize, or does not belong to the user, it is recommended to immediately disconnect from (also known as to “forget”) the unrecognized device. Finally, and most importantly, users can ensure that their devices have recently been patched and have the most up-to-date security upgrades. Many manufacturers whose devices are susceptible to KNOB attacks are aware of the new vulnerability and have sent or can be expected to soon be sending out security patches to address this new security concern.