The KNOB is Broken: The Latest Bluetooth Vulnerability

For those of you who indulge in Bluetooth, you will want to be aware of this latest attack. Beginning at 1:45:00 Steve Gibson does a good job of explaining this vulnerability, in which an attacker can force a low entropy connection and then brute-force your device from there.

Security researchers report that out of the 14 popular devices which were tested, all 14 were found to be susceptible to this attack!!!


This is why I still shake my head at why we are using BT for things that ad-hoc wifi would be a better choice. With NFC, that could be the key exchange between the mobile devices.
BT is fit for non-secure stuff only.

1 Like

So I lostened to the part. How is this able to be abused in the real world, not just in tech speak white papers.

Fortunately, I don’t have anything active with bt.

Most people leave the features of their phone on. So say you have NFC which can initiate a pairing sequence without the user needing to interact with the phone. Someone with an nfc emitter can tell your phone, pair with this device and then they have access to your phone. There are many other exploits with BT that then allow them to take over your phone. Basically the physical security rule applies at that point. If they stay in range, they own the box. If they get their malware on the device, then they can own the box from afar.

Now I don’t know how long this exploit and the subsequent exploits take to execute, but basically think of remote pay and critical commerce data, position tracking, message and voice monitoring, and etc.

My initial thought was that a bad guy could camp out in a grocery store parking lot. Most folks leaving the store with multiple packages will go straight home and they likely live close by. Also, what happens when most people hop in their car and start the engine? Their phone and car automatically handshake. If this handshake could be manipulated, you could easily own the phone and that person’s digital life. If you follow them home, you also have their address and you know where their phone (likely switched on and likely within range) sleeps at night.

Of course, the bad guys are likely much more sophisticated than my feeble imagination, so who knows how ugly this vulnerability could actually be.

Remote transmissions are generally a big problem and a complicated issue. Proximity key cars are a good example. The plague of theft on a so-called “suitcase”. They bring the device close enough to the person with the key and transmit the signal to the standing car even very far away. The car receives a signal as if the key were right next to the car. The alarm is turned off, the door is open, the engine is running. And the thieves leave like their own car.


I remember VW being hit by this right around Dieselgate.

BTW. Where are those videos from? Youtube? Got the links for them?

youtube if I remember correctly, unfortunately I have no url, but it’s full of it on yt. There was a lot of talk about it once, now less so.

1 Like

I remember Subaru had one rolling master key and due to the lack of randomization, all Subarus from a specific range of years were affected. Required a dealership reflash of the ECU.

But will exchanging ecu for a new / different one change something? I’m not sure…
This is still the same principle of transmission. If the signal is captured, it still creates a bridge from point A to B. The device would have to be aware of the presence of such a bridge and that the key is far away. Otherwise, nothing will change. The problem is that we do not break any security, encryption or protocol, we only create a radio bridge for transmission. You can do the same with GSM or wifi. Full of fake bts in the wild. Only here is another vector of interest and requires security breach. And in the case of a car not.
This method has been known since probably 2010 and used. There were even several generations of devices and quite cheap Chinese solutions.
Last time I was interested in it over a year ago. Then one of the guys installing car protection told me that there is no reasonable protection against it.
There are special key covers that work like Faraday cage. Other protections are simply various switches embedded in the electrical installation. But the very fact of entering inside if the signal is transient will be possible.,%20Qing%20Yang%20and%20Jun%20Li%20-%20Car%20Keyless%20Entry%20System%20Attacks.pdf

Tin foil room pairing :slight_smile:

Not disagreeing with you there. Subaru’s implementation was just so bad that they did not even try to implement any real security besides using a universal key pair for all of their cars. It took car of the replay attack only.

What you are talking about is something that the car industry has been aware of and has done nothing about. I mean, in the early 2014 year, so many high value cars were being stolen without a trace. We are talking Lambos and Porches vanishing with out a trace in California. The only way around this is to get people to stop wanting lazy tech and using two factor authentication. Easiest solution is something you have and something you are. Even then, it does not take much effort to break that.

At the beginning when these methods came into use it was a big problem with insurance companies. They did not want to believe that the owner is not involved in the insurance scam.
In general, it looks like deliberate action just so that thieves can steal and people buy more.

Personally, I would replace physical keys and remote toys with something from yubikey. I even thought about such a door lock at home. Because when a man sees what LockPickingLawyer can do …

lol… I watch him every so often.