At the recent Usenix Security Syposium, researchers presented a paper detailing how the Bluetooth Classic key negotiation protocol is flawed and can be easily compromised during device pairing.

Bluetooth BR/EDR (also known as Bluetooth Classic) is found in more than a billion Bluetooth enabled devices ranging from keyboards and mice, to wireless modems, phones and audio devices.  The attack against the Key Negotiation Of Bluetooth (or KNOB for short) exploits a vulnerability in the architecture of Bluetooth.

The initial key negotiation during device pairing is controlled by low level firmware. It isn’t encrypted and as a result it is vulnerable to a man-in-the-middle attack. It is possible for such an attack to modify the initial pairing data exchange between the devices to cause the session encryption to use a key with just 8 bits of entropy. This makes it a trivial process to brute force the key in real time and gain access to all the traffic between the paired devices.

The CERT report on the vulnerability  explains the exploitation succinctly:

For example, assume that there are two controllers attempting to establish a connection: Alice and Bob. After authenticating the link key, Alice proposes that she and Bob use 16 bytes of entropy. This number, N, could be between 1 and 16 bytes. Bob can either accept this, reject this and abort the negotiation, or propose a smaller value. Bob may wish to propose a smaller N value because he (the controller) does not support the larger amount of bytes proposed by Alice. After proposing a smaller amount, Alice can accept it and request to activate link-layer encryption with Bob, which Bob can accept.

An attacker, Charlie, could force Alice and Bob to use a smaller N by intercepting Alice’s proposal request to Bob and changing N. Charlie could lower N to as low as 1 byte, which Bob would subsequently accept since Bob supports 1 byte of entropy and it is within the range of the compliant values. Charlie could then intercept Bob’s acceptance message to Alice and change the entropy proposal to 1 byte, which Alice would likely accept, because she may believe that Bob cannot support a larger N. Thus, both Alice and Bob would accept N and inform the Bluetooth hosts that encryption is active, without acknowledging or realizing that N is lower than either of them initially intended it to be.

The implication is that any Bluetooth Classic device that is fully compliant with the Bluetooth specification is vulnerable to the KNOB attack. This means passwords can be captured when entered on Bluetooth keyboards and all data traffic can be sniffed and captured when using a Bluetooth hotspot for wireless network access.  Devices from Intel, Qualcomm, Apple and Motorola were tested by the researchers and all were found to be vulnerable.

There is no practical mitigation users can take except ensure they install updated Bluetooth firmware as soon as it is released by their device manufacturers.