Researchers Demonstrate Serious Weakness in Bluetooth Wireless Standard, Which Can Allow Hackers to Capture Keystrokes, Address Books, and Other Sensitive Data Sent by billions of devices.  Negotiating with a Bluetooth Duplicate Key – or KNOB for short ̵
The KNOB does not require the attacker to have previously shared classified material or to monitor the target device pairing process. Operation is invisible to Bluetooth applications and the operating system they run, making the attack virtually impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself, making it likely that the vulnerability will affect almost any specification-compliant device. Researchers have simulated the attack on 14 different Bluetooth chips – including those from Broadcom, Apple and Qualcomm – and found them all vulnerable.
"The Bluetooth Keyword Negotiation (KNOB) attack exploits a vulnerability in the architecture level of Bluetooth," the researchers wrote in a research paper published this week. "The negotiation protocol for the vulnerable encryption key threatens potentially all standard compatible Bluetooth devices, regardless of [of] version numbers and implementation details. We believe that the protocol for negotiating the encryption key should be fixed as soon as possible. ”
While people wait for the Bluetooth Special Interest Group, the body that oversees the wireless standard, to provide a fix, a handful of companies have released software updates that patch or mitigate a vulnerability that is being tracked as CVE-2019-9506. The amendments include:
The American CERT issued this advice. Meanwhile, the Bluetooth Special Interest Group is posting a security announcement here.
The attack is aimed at the obvious weaknesses in the key setup process, which happens just before two devices are connected. The Bluetooth specification allows the keys to have a length of up to 16 bytes or less than 1 byte. The bottom line, researchers said, was set in part to comply with "international encryption rules."
The result: all Bluetooth-compliant devices are needed to negotiate the length of the key they will use to encrypt the connection, a device may start offering a 16-byte key, and the slave may respond that it is capable of using only one byte key. This will reduce the key to a size that is trivial to crack with the help of brute-force techniques that try to guess every possible combination until the correct one is found.
As if this is not bad enough, this key-length negotiation that takes place over something known as Link Manager protocol is not encrypted or authenticated. Negotiations are also completely opaque to applications and the OS. As a result, the key encoding keystrokes and other sensitive data can be protected by a trivially foldable 1-byte key, with no easy way for the user to know even
Researchers – Daniele Antonilli of Singapore University of Technology and Design; Nils Ole Tippenhauer, from the CISPA Helmholtz Information Security Center; and Casper B. Rasmussen, of Oxford University, have created two attack options to exploit these weaknesses. The first is a remote technique where an attacker uses a personalized Bluetooth device to attack an active person in the middle of two connecting devices that researchers call Alice and Bob. This MitM Attack Objective: To get devices to agree on a 1-byte key labeled K & # 39; C .
Alice's Bluetooth host request to activate (dial) encryption. Alice's Bluetooth controller accepts local requests and starts negotiating the encryption key with Bob's Bluetooth controller on the air. The attacker captures Alice's proposed key entropy and replaces 16 with 1. This simple substitution works because the LMP is neither encrypted nor protected. Bob's controller accepts 1 byte. The attacker grabs Bob's acceptance message and changes it to a 1-byte entropy proposal. Alice estimates that Bob does not support 16 bytes of entropy and accepts 1 byte. The attacker grabs Alice's acceptance message and kills it. Finally, Alice and Bob controllers calculate the same K & # 39; C with one byte entropy and notify their respective hosts that link layer encryption is included.
The following is the relevant diagram where the attacker is named Charlie:
Another other variant of attack maliciously modifies several bytes in the firmware of one of the devices. The modification causes the device to negotiate a maximum key size of 1 byte. In essence, the other device has no choice but to accept.
A matter of engineering effort
Researchers did not attack a person in mid-air. However, they did root a Nexus 5 device to launch a firmware attack. Based on the response of the other device, the Motorola G3, the researchers said they thought both attacks would work.
"This attack setting is much more reliable than an air attack," researcher Daniele Antonioioli wrote in an email regarding the firmware version. "This allows us to quickly test whether a new device is vulnerable and was enough to show reviewers that the KNOB attack is a real high impact threat. Making the same airborne attack is just a matter of engineering effort. "
KNOB has received a lot of attention since it was revealed earlier this week. Many people took to social media to say that Bluetooth was interrupted by this new attack. Theoretically, this probably has, which means that it's probably not a good idea to depend on the user-class Bluetooth to protect vital data.
Leslie Carhart, a major threat hunter at security firm Dragos, put it this way in an email:
The embedded security of consumer Bluetooth devices is always being questionable at best. However, deciding whether to use Bluetooth devices should depend on personal risk management and the threats we face individually. For example, it may be much more practical for an adversary to install a keylogger on a remote computer than to launch a wireless attack in physical proximity. For most people, accepting that Bluetooth security is just a deterrent would be an acceptable risk. For people who work sensitively in crowded areas, Bluetooth keyboards may be unwise.
It is also important to note the obstacles – namely the cost of equipment and surgical precision MitM – that do not allow researchers to actually carry out an air attack in their laboratory. If the technique above the air were easy, they would almost certainly have done it.
Dan Guido, a mobile security expert and CEO of security firm Trail of Bits, said: "This is a bad mistake, although difficult to use in practice. It requires local proximity, perfect synchronization and a clear signal. to completely MITM both peers to resize the keys and use this error. I will apply the available patches and continue to use the Bluetooth keyboard. "
This still leaves the firmware variation of the attack, but it also comes with its own steep challenges. In a real situation, this will either require tampering with the supply chain, or gaining physical access to a targeted device, making changes to the
Moreover, the Bluetooth Special Interest Group security notice stated:
In order for the attack to be successful, the attacker must be within range of two vulnerable Bluetooth devices that establish a BR / EDR connection. If one of the devices did not have the vulnerability, the attack would not be successful. The attacker will need to intercept, manipulate and relay key length negotiation messages between the two devices while blocking broadcasts and if both attackers were successful in shortening the encryption key used, then they would need to carry out a rough attack to miss the encryption key. In addition, the attacker will need to repeat the attack each time encryption is activated, since negotiating the size of the encryption key is done each time.
The upshot of all this is that there is reason to think that Bluetooth is even more insecure than previously thought, but this KNOB is not the type of attack we are likely to see at any time on Starbucks. This does not mean that wildlife attacks will never occur. For now, people need to apply patches when available and not worry too much about using Bluetooth for casual things like streaming audio. At the same time, it may not be a bad idea to start thinking about losing weight with Bluetooth when you are transmitting really sensitive data.