KNOB Attack, also known as Key Negotiation of Bluetooth Attack, was brilliantly explained by a researcher from the Singapore University of Technology and Design, Daniel Antonioli, during CyberWire’s Research Saturday presented by Juniper Network. Based on the interview, malicious attackers use KNOB Attack to take advantage of Bluetooth’s security vulnerabilities and gather sensitive data from communicating parties.
According to Antonioli, Bluetooth technology, when in the pairing stage, is a long-term establishment of recognition between two devices that have not met before. Devices such as headphones, laptops and smart televisions all have Bluetooth, which can be used to connect with other devices to perform different linked activities. Heller from TechTarget’s Search Security quotes the abstract from Antonioli’s research paper: “The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy”.
Based on the interview, the low entropy with only 1 byte (8 bits) allows attackers with Bluetooth engineering expertise to brute-force the key negotiation value. Although, the attackers would need to be within Bluetooth range. Heller’s article continues discussion of Antonioli’s research paper: “Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid messages (in real-time)”. Also, the protocol used in the devices by Bluetooth is not encrypted. Therefore, the packets that are sent from one device to another have no integrity. A third party can exploit this vulnerability if they launch a middle-man-attack against the devices, in order to gather sensitive information.
At the end of the interview, Antonioli also suggested for professionals within organizations and corporations to patch their operating systems to prevent these types of vulnerabilities from affecting business. If an organization’s system could not perform these patch activities, an alternative would be to avoid sharing sensitive information through devices connected to Bluetooth.