Hackers can snoop on users’ private conversations using Bluetooth and also manipulate data

Bluetooth is easiest and most hassle free ways of connecting with nearby devices. It’s often used to connect fitness tracker of your newly purchased wireless speaker and a wide range of devices.

However, a new report indicates that a new vulnerability in Bluetooth connections could allow hackers to snoop on your private conversations.

The vulnerability called Key Negotiation of Bluetooth (KNOB)  affects all the Bluetooth compliant devices and it allows malicious attackers to not only listen in on your private conversations but also manipulate information on your device.

Researchers from the Singapore University of Technology and Design, University of Oxford, and CISPA Helmholtz Center for Information Security who discovered this critical flaw explained: “We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to the listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired.”

Hackers take take advantage of the flaw in the Bluetooth standard. When two devices establish a Bluetooth connection, they do it using an encryption key. If the attacker gets in between this process, that is when the encryption key is being setup, it can manipulate the two devices to use an encryption key with considerably less number of digits or bits. The hacker would still have to use brute force attack to break the new encryption key, however, a shorter key is easier to break and requires less time.

However, for this to work the hacker needs to be in the vicinity to execute this attack. Moreover, the attack could affect all popular devices from Intel, Broadcom, Apple, and Qualcomm.

he researchers had notified manufacturers about this vulnerability back in 2018. And some companies like Apple, Microsoft, Google, Blackberry, Broadcom, Chicony and Cisco, as The Mashable noted, have already issued a patch to fix this vulnerability.

Source : Various