Ready to Start Your Career?

Bluetooth - Another Backdoor for Hackers to Break into our Privacy

Phil Abraham's profile image

By: Phil Abraham

September 10, 2019

Do you know how old Bluetooth connectivity is?Almost 2 decades; do you think this 20-year old wireless capability become old school?No, not at all!

Enroll in FREE Crackle Course >>

A big thanks to the growth of IoT that positioned Bluetooth into new environments – beyond consumer-facing applications- such as smart buildings, industry, and cities.To imagine the usage of Bluetooth protocol, one can think of the extensive use 1 of IoT devices, such as:

  • 26.66 billion IoT devices are active in 2019
  • By 2025 the number of IoT devices will reach 75 Billion
  • 127 new IoT devices are connected every second
  • By the next year, the global market will grow up to 457 Billion by 2020; 40% of them will be used in the healthcare industry
Everything sounds cool, right?Sadly, this platform, though insecure and vulnerable from the inception, has also become an eye-candy to hackers. Research2 conducted by a team at Boston University revealed several flaws in the way that Bluetooth functionality is implemented on a range of consumer devices.The assigned vulnerability – CVE-2019-9506 – resides in the way that the encryption key negotiation lets two Bluetooth BR/EDR (Basic Rate/Enhanced Data Rate, also known as “Bluetooth Classic”) devices choose an entropy for encryption keys while pairing to secure their connections.This vulnerability is known as the Key Negotiation of Bluetooth (KNOB) attack. This vulnerability allows remote attackers close to target devices to intercept, monitor, or manipulate (encrypted) Bluetooth traffic between paired devices.The Bluetooth BR/EDR is a wireless technology that has typically been designed for a relatively short-range yet continuous wireless connection, streaming audio to portable speakers or headsets.As far as the security is concerned, the core specification of Bluetooth BR/EDR supports encryption keys – entropy between 1 and 16 bytes/octets; the higher the value, the more the security.Researchers find the entropy negotiation that devices are performing over the Link Manager Protocol (LMP) is neither encrypted, authenticated, and can easily be hijacked or manipulated over-the-air.

Where’s the FLAW?

The same paper describes a methodology for identifying such Bluetooth devices, even when MAC addresses are hidden or randomized.In early implementations, devices’ advertised’ their presence by broadcasting data on advertising channels. This system was designed to allow Bluetooth devices to pair easily, but with some security vulnerabilities.Specifically, devices sent their Bluetooth MAC address to such channels. Since this is a permanent address, anyone in a few meters of the device can collect a unique identifier and track a Bluetooth device wherever it goes.To combat this, the Bluetooth Low Energy standard moved away from open MAC addresses. Instead, devices using the protocol randomized yet temporary addresses; it’s believed to make newer Bluetooth devices untraceable.The problem now is that many of these devices are using dynamic identifying tokens unique to each device, which stays static for a long enough time to be used as secondary identification. These tokens do not change while randomizing MAC addresses. It lets a randomized address to be associated with another through the token.Which means anyone can uniquely identify any device in the Bluetooth range, and potentially track their activities.The attack is successful only when:
  • Both Bluetooth devices are establishing a BR/EDR connection
  • Both devices must be vulnerable to this flaw
  • The attacker should be capable of blocking direct transmissions between devices while pairing
  • The attack must be performed during negotiation or renegotiation of a paired device connection
According to the official advisory released by,"Since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet." 3

Are all devices (Software/Vendors/OS/Patch Updates) affected?

The team behind the research built a system to identify Bluetooth devices across a test network. Researchers tested a wide range of devices, including Windows, Mac computers, and iPhones.The results varied slightly across the selected devices, but still a cause for concern:"We evaluate the KNOB attack on more than 14 Bluetooth chips from different vendors such as Intel, Broadcom, Apple, and Qualcomm. All the chips accept 1 byte of entropy except the Apple W1 chip that accepts (at least) 7 bytes of entropy." 3“The algorithm succeeds consistently on Windows 10 and sometimes on Apple operating systems,” according to the report. “In both cases, the respective identifying tokens change out of sync with the advertising address. In the Windows 10 case, there is no evidence of any synchronization by design. In the Apple case, it seems that there exist mechanisms to synchronize updates of identifying tokens with address randomization, but they occasionally fail.” 4   

What’s the broader concern?

The broader concern is if laptops and smartphones are identifiable, then the more other Bluetooth devices (those that power the IoT) are also likely to be vulnerable to this exploit.To mitigate this attack, the devices with the Bluetooth specifications are strongly recommended to enforce a minimum encryption key length of 7 octets for all the BR/EDR connections.To deal with this vulnerability, some of the affected vendors have already rolled out security updates for their OS, firmware, and software, including:
  • Microsoft for Windows
  • Apple for macOS, iOS, and watchOS
  • BlackBerry
  • Cisco for IP Phones and Webex
  • Google for Android

Other problems with Bluetooth

In the broadest picture, Bluetooth has never really reached its maximum potential, not least if there’s a significant security hole in the system.Interestingly, this has not slowed down the rise of Bluetooth 5. Though usage of the technology is to grow from 4.2 to 5.2 billion devices between 2019 and 2022, half a billion of them are wearable and other data-focused connected devices.The ability to identify devices might not be necessary for the average Bluetooth user, but potentially gives bad guys and surveillance agencies a powerful tool to launch sophisticated attacks.Generally speaking, Bluetooth surveillance is becoming a concern; thanks to more and more devices for using Bluetooth connectivity. Identifying their signals allows a hacker to pinpoint network traffic passing to and from devices.Achieving this defeat requires a wide range of technologies, including secure browsers, a common starting point for most cyberattacks6.These problems are not going anytime soon, either, complimenting the recent rise of IoT devices. Further, IoT device manufacturers have often prioritized convenience and connectivity over security7.Even worse, many of them are now connected to critical hardware, making the consequences of a hack even worse.

How to avoid Bluetooth tracking?

There is both – the good and the bad news; the good news is that Android devices seem entirely unaffected by this exploit.The bad news is – if you own any other device, there is no way of using Bluetooth without leaving yourself up to this (KNOB) hacking.Let’s cross our fingers for manufacturers to patch the vulnerability since the research has been made public, but until then, keep one thing in mind:Only use Bluetooth when you need to, and make sure that the connection is encrypted, passing between devices and networks. References: 1. 4. 6.
Schedule Demo