A group of researchers has released a new vulnerability that would affect bluetooth connections. According to them, the failure is classified as serious because the security and privacy of all Bluetooth users would be at risk.
Is my Bluetooth connection really insecure?
The group of researchers, who announced this new vulnerability in the bluetooth connection during the USENIX Security Symposium, has been clear: it is serious. And yes, it is because the Bluetooth SIG itself, the body that oversees the standards of this technology, has confirmed its existence and issued a security notice of what they have called KNOB (Key Negotiation of Bluetooth).
The bug in question consists of taking advantage of the bluetooth pairing procedure to change the encryption key to a shorter one and therefore easier to crack. In this way, once the devices are linked, a brute force attack would be used to know the key and thus have access to the data shared between the two devices.
If we take into account that there are millions of devices with this type of connection, such as telephones, computers, cars, speakers, wearables, etc., then the threat is logically classified as serious. Also, there is no solution that does not go through a complete change of the specification. So you have to look for patches to alleviate and reduce the risk.
And here comes the important part, how does it affect you as a user? Well let's see, for now we must clarify that, according to the information available, only those devices with a "classic" connection (Bluetooth BR/EDR) are affected. If your device uses Bluetooth LE (low energy) it is not at risk.
In the case of using one of the, for now, 17 chips identified as susceptible to being attacked, it will be necessary to update or install the security patches that the manufacturers release. For now, only Apple and Microsoft have released security patches. Although the core bluetooth to set the minimum length of the encryption key to a higher value. This makes it difficult to break it by brute force.
Therefore, if one takes into account that to take advantage of it, the attacker must be within the user's action time and do everything in a very narrow window of time, we could say that you can rest easy. Furthermore, the Bluetooth SIG itself has no confirmation or evidence that it has been exploited.
Anyway, there are many companies that use one of those 17 affected chips. Apple, Intel, Qualcomm, Broadcom and many more. So be aware of possible updates or patches, keeping your devices up to date is important to avoid problems of this type.