Key Negotiation of Bluetooth and how this has been exploited.
Daniele Antonioli, SUTD; Nils Ole Tippenhauer, CISPA; Kasper B. Rasmussen, University of Oxford
We present an attack on the encryption key negotiation protocol of Bluetooth BR/EDR. The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time). The attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected. We call our attack Key Negotiation Of Bluetooth (KNOB) attack.
The attack targets the firmware of the Bluetooth chip because the firmware (Bluetooth controller) implements all the security features of Bluetooth BR/EDR. As a standard-compliant attack, it is expected to be effective on any firmware that follows the specification and on any device using a vulnerable firmware. We describe how to perform the KNOB attack, and we implement it. We evaluate our implementation on more than 14 Bluetooth chips from popular manufacturers such as Intel, Broadcom, Apple, and Qualcomm. Our results demonstrate that all tested devices are vulnerable to the KNOB attack. We discuss countermeasures to fix the Bluetooth specification and its implementation.
Higher entropy makes it harder for attackers to brute-force an encryption key; lower entropy makes it easier.
An attacker could force the two devices to use a smaller number of bytes of entropy.
The KNOB attack is especially pernicious because it doesn’t violate the Bluetooth DR/EDR specification, which explicitly permits keys with just one byte of entropy. It’s also been proven to work on Bluetooth radios from all the major manufacturers, including Broadcom, Apple, and Intel.
Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time).
Bluetooth Version 5.0
Snapdragon 845 Galaxy S9 X
Snapdragon 835 Pixel 2, OnePlus 5 X
Apple/USI 339S00428 MacBookPro 2018 X
Apple A1865 iPhone X X
Bluetooth Version 4.2
Intel 8265 ThinkPad X1 6th X
Intel 7265 ThinkPad X1 3rd X
Unknown Sennheiser PXC 550 X
Apple/USI 339S00045 iPad Pro 2 X
BCM43438 RPi 3B, RPi 3B+ X
BCM43602 iMac MMQA2LL/A X
Bluetooth Version 4.1
BCM4339 (CYW4339) Nexus 5, iPhone 6 X
Snapdragon 410 Motorola G3 X
Bluetooth Version ≤ 4.0
Snapdragon 800 LG G2 X
Intel Centrino 6205 ThinkPad X230 X
Chicony Unknown ThinkPad KT-1255 X
Broadcom Unknown ThinkPad 41U5008 X
Broadcom Unknown Anker A7721 X
Apple W1 AirPods *
The researchers reported the vulnerability to ICASI and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon who issued a coordinated disclosure of the vulnerability
Intel affected products:
Intel® Wireless-AC products (3000 series, 7000 series, 8000 series, 9000 series)
Intel® Wi-Fi 6 products (AX200, AX201)
Intel® Wireless Gigabit products (17000 series, 18000 series)
Intel® Atom x3-C3200 Processor Series
Apple has already mitigated this vulnerability in macOS 10.14.6 Mojave, Security Update 2019-004 for Sierra and High Sierra, iOS 12.4, watchOS 5.3, and tvOS 12.4.