CyberNews Briefs

Critical Bluetooth flaw opens millions of devices to eavesdropping attacks

Security researchers have uncovered a serious flaw in the Bluetooth Core Specification that can enable attackers to capture and meddle with Bluetooth communications between impacted devices. The vulnerability, tracked as CVE-2019-9506, has already been fixed in many devices.

According to the research report[pdf], the Key Negotiation Of Bluetooth (KNOB) attack “allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time).”

The researches believe that all standard-compliant Bluetooth devices are affected by the flaw.  However, the attack can only be carried out if the threat actor is within the wireless range of vulnerable devices; while a Bluetooth connection is being established; within a narrow time window; and if both of the communicating devices are vulnerable.

Read more: Critical Bluetooth flaw opens millions of devices to eavesdropping attacks

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.