Researchers have demonstrated a serious weakness in the Bluetooth wireless standard that could allow hackers to intercept keystrokes, address books, and other sensitive data sent from billions of devices.
Dubbed Key Negotiation of Bluetooth — or KNOB for short — the attack forces two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection. Attackers within radio range can then use commodity hardware to quickly crack the key. From there, attackers can use the cracked key to decrypt data passing between the devices. The types of data susceptible could include keystrokes passing between a wireless keyboard and computer, address books uploaded from a phone to a car dashboard, or photographs exchanged between phones.
KNOB requires an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself, making it likely the vulnerability affects just about every device compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips – including those from Broadcom, Apple, and Qualcomm – and found all of them to be vulnerable.
"The Key Negotiation Of Bluetooth (KNOB) attack exploits a vulnerability at the architectural level of Bluetooth," the researchers wrote in a research paper published this week. “The vulnerable encryption key negotiation protocol endangers all standard compliant Bluetooth devices, regardless [of] their Bluetooth version number and implementation details. We believe that the encryption key negotiation protocol has to be fixed as soon as possible. "
While people wait for the Bluetooth Special Interest Group — the body that oversees the wireless standard — to provide a fix, a handful of companies have released software updates that patch or mitigate the vulnerability, which is tracked as CVE-2019-9506. The fixes include:
The US CERT has issued this advisory. The Bluetooth Special Interest Group, meanwhile, posted a security notice here.
The attack targets glaring weaknesses in the key set-up process that occurs just prior to connecting two devices. The Bluetooth specification allows keys to have lengths of as many as 16 bytes or as few as 1 byte. The lower limit, the researchers said, was put in place in part to comply with "international encryption regulations."
The result: all Bluetooth-compliant devices are required to negotiate the length of the key they will use to encrypt the connection. A master device may start proposing a 16-byte key, and the slave device may respond that is only capable of using a 1-byte key. With that said, the key will be downgraded to a size trivial to crack using brute-force techniques, which attempt to guess every possible combination until the correct one is found.
If that is bad enough, this key-length negotiation, which occurs over something known as the Link Manager Protocol, is encrypted or authenticated. The negotiation is also completely opaque to apps and OSes. As a result, the key encrypting the keystrokes and other sensitive data may be protected by a trivially crackable 1-byte key, with no easy way for a user to even know.
The researchers — Daniele Antonioli with Singapore University of Technology and Design; Nils Ole Tippenhauer, or CISPA Helmholtz Center for Information Security; and Kasper B. Rasmussen, with the University of Oxford — have devised two attack variations to exploit these weaknesses. The first is a remote technique, in which the attacker uses a custom Bluetooth device to perform an active man-in-the-middle attack on two connecting devices, which the researchers call Alice and Bob. That goal of the MitM attack: cause the devices to agree on a 1-byte key notated as K'C.
The researchers wrote:
Alice's Bluetooth host requests to activate (set) encryption. Alice's Bluetooth controller accepts the local requests and starts the encryption key negotiation procedure with Bob's Bluetooth controller over the air. The attacker intercepts Alice's proposed key entropy and substitutes 16 with 1. This simple substitution works because LMP is neither encrypted nor integrity protected. Bob's controller accepts 1 byte. The attacker intercepts Bob's acceptance message and changes it to an entropy proposal of 1 byte. Alice thinks Bob doesn't support 16 bytes of entropy and accepts 1 byte. The attacker intercepts Alice's acceptance message and drops it. Finally, the controllers of Alice and Bob compute the same K'C with one byte of entropy and notify their respective hosts that link-layer encryption is on.
Below is a corresponding chart, where the attacker is named Charlie:
The other other attack variation maliciously modifies a few bytes in the firmware of one of the devices. The modification causes the device to negotiate a maximum key size of 1-byte. In essence, the other device has no choice but to accept.
A matter of engineering effort
The researchers carry out the man-in-the-middle attack over the air. However, they did root a Nexus 5 device to perform a firmware attack. Based on the response from the other device — a Motorola G3 — the researchers said they believe both attacks would work.
"This attack setup is much more reliable than an over-the-air attack," researcher Daniele Antonioli wrote in an email, referring to the firmware variation. “It allows to quickly test if a new device is vulnerable, and it was sufficient to demonstrate to the reviewers that the KNOB attack is a real, high-impact threat. Implementing the same attack over the air is only a matter of engineering effort. "
KNOB has received a large amount of attention since it was disclosed earlier this week. Many people took to social media to declare Bluetooth has been broken by this new attack. Theoretically, it probably has, and that means probably not a good idea to rely on consumer grade Bluetooth to protect vitally sensitive data.
Lesley Carhart, principal threat hunter at security firm Dragos, put it this way in an email:
The implemented security of consumer Bluetooth devices has always been dubious at best. However, deciding whether to use Bluetooth devices should depend on personal risk management and the threats we face individually. For example, it may be more practical for an adversary to install a keylogger on a remote computer than launch a wireless attack within physical proximity. For most people, accepting that Bluetooth security is only a deterrent will be an acceptable risk. For people who do sensitive work in crowded areas, Bluetooth keyboards might be unwise in general.
It is also important to note the hurdles — namely the cost of equipment and a surgical-precision MitM — that kept the researchers from actually carrying out their over-the-air attack in their in-laboratory. Had the over-the-air technique been easy, they almost certainly would have done it.
Dan Guido, a mobile security expert and CEO of security firm Trail of Bits, said: "This is a bad bug although it is hard to exploit in practice. It requires local proximity, perfect timing, and a clear signal. fully MITM both peers to change the key size and exploit this bug. I'm going to apply the available patches and continue using my bluetooth keyboard. "
That still leaves the firmware variation of the attack, but that also comes with its own steep challenges. In a real-world setting, it would require either tampering in the supply chain or getting physical access to a targeted device, making changes to the firmware, and then removing all signs of tampering.
What's more, the security notice from the Bluetooth Special Interest Group said:
For an attack to be successful, an attacking device would need to be within the wireless range of two vulnerable Bluetooth devices that were establishing a BR / EDR connection. If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window. If the attacking device was successful in shortening the encryption key length used, it would then need to execute a brute force attack to crack the encryption key. In addition, the attacking device would need to repeat the attack every time encryption gets enabled since the encryption key size negotiation takes place every time.
The upshot of all this is that the reason to think that Bluetooth is even more insecure than previously thought, but that KNOB is not the type of attack likely to be performed anytime soon at a Starbucks. Don't say that in-the-wild attacks will never occur. For now, people should apply patches where available and not worry too much about using Bluetooth for casual things, such as streaming audio. At the same time, it might not be a bad idea to start thinking about weening yourself off Bluetooth when transmitting truly sensitive data.