Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals

Featured Image Credit: Image by 200 Degrees from Pixabay

2 comments

Apple Blocks KNOB Attack on Bluetooth

Researchers have discovered a serious security vulnerability that afflicts all Bluetooth devices. Dubbed the Key Negotiation of Bluetooth (KNOB) Attack, it enables an attacker to force two connecting Bluetooth devices to use a one-byte encryption key, which is trivially easy to break. After breaking the key, the attacker can intercept all traffic exchanged between the devices.

The good news is that exploiting KNOB requires the attacker to be within Bluetooth range of two vulnerable devices, which means 10 meters for most Bluetooth devices but theoretically up to 400 meters when both devices support Bluetooth 5. It also requires precision timing to intercept and modify the key exchange process. Even more important, Apple has already mitigated this vulnerability in macOS 10.14.6 Mojave, Security Update 2019-004 for Sierra and High Sierra, iOS 12.4, watchOS 5.3, and tvOS 12.4. Google and Microsoft have also issued fixes for the issue.

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Apple Blocks KNOB Attack on Bluetooth

Notable Replies

  1. I’m guessing this affects my old iPod Nano (7th gen) when it talks to my car. There hasn’t been a software update to the iPod in ages, and I wonder if Apple will even consider addressing this vulnerability. If I have to drive without my music I’ll go nuts. :wink:

  2. I’m confident that they won’t. Details concerning the likelihood of the vulnerability being exploited and the impact haven’t yet been scored at NVD - CVE-2019-9506, but from the description it appears to be low and who really cares if their music is being intercepted? I don’t think it’s worth spending time being concerned about it.

Join the discussion in the TidBITS Discourse forum

Participants

Avatar for jcenters Avatar for andkim1974 Avatar for alvarnell