Researchers have discovered a new Bluetooth vulnerability called “Key Negotiation of Bluetooth” (KNOB). It allows attackers to spy on encrypted communications and data exchanged between two devices.

This vulnerability threatens the security and privacy of more than one billion Bluetooth enabled devices. Especially smartphones, laptops, connected objects and industrial devices.

The vulnerability, CVE-2019-9506, allows attackers to enforce the encryption key used during the pairing to more easily monitor or manipulate data transferred between two paired devices.

The vulnerability was unveiled by the Center for Information Technology Security, Confidentiality and Accountability (CISPA) and the Sector Federation for the Advancement of Internet Security (ICASI).

This vulnerability allows the attacker to reduce the length of the encryption key used to establish a connection, which means that the attacker intercepts, monitors, or processes encrypted Bluetooth traffic between two paired devices.

Bluetooth SIG has updated the basic Bluetooth specification to address this security issue by recommending a minimum length of the BR / EDR encryption key. Bluetooth SIG strongly recommends that product developers update existing solutions to apply a minimum encryption key length for the BR / EDR system.

Many affected vendors have started issuing security updates for operating systems and firmware :

– Microsoft for Windows.
– Cisco IP Phones and Webex.
– Google for Android.
– Apple for MacOS, iOS and watchOS.
– Blackberry.

Source : Bluetooth.com