Warning over Bluetooth flaw that allows hackers to intercept data between devices and affects ALL iPhoneX, Pixel 2, and Samsung Galaxy S9 phones
- Newly discovered Bluetooth flaw potentially exposed millions of customers’ data
- Researchers say it allowed hackers to intercept data between devices
- There is no documented case of a hacker exploiting the flaw however, they say
- Affected chip makers include Intel, Broadcom, Apple, and Qualcomm
- New security measure and patches reportedly fixed the flaw, report says
Millions of Bluetooth devices may be affected by a serious security flaw that lets hackers intercept data transferred between two devices.
In a security advisory from The Bluetooth Special Interest Group — which oversees standards for the technology everywhere — the group has called attention to the flaw discovered by researchers at the Center for IT-Security, Privacy and Accountability.
According to them, the vulnerability allows hackers to shorten an encryption key linking two Bluetooth-connected devices.
With that shortened key, hackers can easily use brute-force (repeatedly enter an automated key) to plow their way into a person’s device.
A flaw in many Bluetooth chips made millions of devices vulnerable to an attack that can intercept data. Stock image
WHAT IS THE ‘KNOB’ ATTACK?
The KNOB, or Key Negotiation Of Bluetooth, attack is a flaw in many Bluetooth connections that allowed hackers to intercept data between devices.
It worked by shortening an encryption key between the two which made it easier for hackers to brute-force their way into a device.
The flaw has been patched and the Bluetooth Special Interest Group has written new standards to help prevent its exploitation in the future.
Once inside, hackers would be able to monitor data transferred between a Bluetooth connection, including car connections between phone and the vehicles computer, information between phones, and more.
Researchers have dubbed the hack the KNOB attack, or Key Negotiation Of Bluetooth.
‘The KNOB attack is a serious threat to the security and privacy of all Bluetooth users,’ says the security firm in a formal paper.
‘We were surprised to discover such fundamental issues in a widely used and 20-year-old standard.’
While researchers say there is no documented case of any hacker actually exploiting the flaw, the list of chips and devices that are vulnerable is fairly exhaustive.
According to them, at-risk devices include the iPhone X, AirPods, the Galaxy S9, the Pixel 2 and OnePlus5, the 2018 MacBook Pro, the iPad Pro 2, and more.
The attack reportedly only works if both devices have the vulnerability, but given the popularity of some of the affected chips — those from Intel, Broadcom, Apple, and Qualcomm — the chances aren’t exactly minor.
According to the Bluetooth SIG, the disclosure has been remedied by changing the ‘Core Specification to recommend a minimum encryption key length of 7 octets’ — in other words, lengthening the the encryption key standard to make it more difficult to crack.
Both Apple and Microsoft have also rolled our patches to fix the flaw, however, to fully protect oneself, users are required to also update affected Bluetooth devices, which is far less common than updating a phone or computer.