Monday, August 19, 2019

Bluetooth KNOB Attack

Key Negotiation of Bluetooth Attack (via Luis Grangeia, Hacker News):

The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.

[…]

The KNOB attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack.

After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed.

hannob:

What is even more bananas than the mere existence of this attack is the statement of the bluetooth standardization group.

Here’s their plan to fix this:

To remedy the vulnerability, the Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections

7 octets, aka… 56 bit. So it looks like this vulnerability is here to stay. They just raise the bar from “trivially breakable” to “you need a bit of cloudcomputing effort to break a connection”.

Bluetooth SIG:

For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection.  If one of the devices did not have the vulnerability, then the attack would not be successful.  The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window.

So it sounds like the good news is that this could potentially be fixed at the OS level, i.e. updating half of each pair. You wouldn’t have to replace all your Bluetooth devices.

Update (2019-08-29): Josh Centers:

Apple has already mitigated this vulnerability in macOS 10.14.6 Mojave, Security Update 2019-004 for Sierra and High Sierra, iOS 12.4, watchOS 5.3, and tvOS 12.4.

2 Comments RSS · Twitter

I’ve always assumed WiFi and Bluetooth encryption standards have the same strength as wet toilet paper, because those standards committees go to great lengths to keep actual cryptographers at bay, then specify non-standard algorithms in a demonstration of Dunning-Kruger syndrome.
You can use a VPN with WiFi, but there is no way to secure Bluetooth.

Will Notbepublished

Considering that Mac OS X, OS X and macOS have been plagued with bugs that turn Bluetooth back on after it has been manually disabled, it could be a good idea for Apple to provide security updates to all the OS versions they released.

Leave a Comment