Connect with us

Hi, what are you looking for?



New Bluetooth Vulnerability Allows Attackers to Intercept Traffic

A KNOB (key negotiation of Bluetooth) attack against the basic rate/enhanced data rate (BR/EDR, or Bluetooth Classic) configuration can result in information disclosure and/or escalation of privileges.

A KNOB (key negotiation of Bluetooth) attack against the basic rate/enhanced data rate (BR/EDR, or Bluetooth Classic) configuration can result in information disclosure and/or escalation of privileges.

The vulnerability was discovered by researchers at the Center for IT-Security, Privacy and Accountability (CISPA), and reported to Bluetooth. Bluetooth published an advisory and Microsoft patched its own Bluetooth in the August 2019 updates. But patching Windows does not mean the Bluetooth issue is solved.

In its own Vulnerability Note VU#918987, CERT/CC has explained the vulnerability and designated it as CVE-2019-9506 with a CVSS score of 9.3. The vulnerability is based on the process by which communicating Bluetooth devices decide on and establish an encryption key length. This can be anything between one and 16 bytes of entropy. One byte provides an encryption key so small that it can be brute forced by an attacker.

Microsoft patched Windows Bluetooth with “a software update that enforces a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption.” However, this is not set by default and must be enabled by the user setting a flag in the registry. Unless this flag is set, Windows Bluetooth will remain susceptible to the vulnerability.

The main problem is that an attacker can force a minimal key length. It is not a simple attack and it is thought that it has never been maliciously exploited. BR/EDR Bluetooth is the standard configuration for short range communication. This means that the attacker must be adjacent to the communicating devices with kit adequate to intercept the wireless communications.

In such circumstances, the attacker could intercept a proposal request and change the requested key length to 1. Under normal circumstances (but not by patched Windows if the registry flag is set) this would be accepted as a valid proposal since it is within the Bluetooth parameters. The second device may respond by requesting a larger entropy — but again the attacker could intercept and change it to 1.

“Thus,” explains CERT/CC, “both Alice and Bob would accept N [ie, 1] and inform the Bluetooth hosts that encryption is active, without acknowledging or realizing that N is lower than either of them initially intended it to be.”

Advertisement. Scroll to continue reading.

It is still not a simple attack. As Bluetooth explains, “If the attacking device was successful in shortening the encryption key length used, it would then need to execute a brute force attack to crack the encryption key. In addition, the attacking device would need to repeat the attack each time encryption gets enabled since the encryption key size negotiation takes place each time.”

Bluetooth has responded by updating the Bluetooth Core Specification to recommend a minimum encryption key length of seven octets; that is the length set in the Windows update. For Windows Bluetooth communication to continue (assuming the user actually does set the registry flag), it will require that other Bluetooth device manufacturers update their products to the new specification, and that users update their devices to include the latest software version.

Without this, as Microsoft comments, “If your particular Bluetooth device or the Bluetooth radio in your Windows device, or the driver for that Bluetooth radio does not support the longer key length, this update could block connections with that device when the registry key EnableMinimumEncryptionKeySize is set.”

Related: Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation 

Related: New Vehicle Hack Exposes Users’ Private Data Via Bluetooth 

Related: Bluetooth Chip Flaws Expose Enterprises to Remote Attacks 

Related: Billions of Devices Potentially Exposed to New Bluetooth Attack

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.