Researchers have identified a serious vulnerability in the Bluetooth wireless standard that could allow hackers to intercept keystrokes, address books and other sensitive data by billions sent by devices.  Bluetooth Synchronized Key Negotiation – or KNOB for short ̵
KNOB does not require an attacker to have previously shared secret material or to observe the targeting device's pairing process. The exploit is invisible to Bluetooth apps and the operating system on which they run, so the attack is barely visible without highly specialized devices. KNOB also exploits a vulnerability in the Bluetooth standard itself, so the vulnerability is likely to affect almost every device that complies with the specification. The researchers simulated the attack on 14 different Bluetooth chips, including those from Broadcom, Apple and Qualcomm, and found that they are all vulnerable.
"The Key Negotiation Of Bluetooth (KNOB) attack exploits a Bluetooth-level architecture vulnerability," the researchers wrote in a research report released this week. "The vulnerable cryptographic key negotiation protocol potentially jeopardizes all standards-compliant Bluetooth devices, regardless of [of] their Bluetooth version number and implementation details. We believe that the protocol for negotiating the encryption key needs to be set as soon as possible.
While people wait for the Bluetooth Special Interest Group to monitor the wireless standard, a handful of companies have released a solution that fixes or resolves the vulnerability that is being tracked as CVE-2019-9506. The corrections include:
The US CERT has issued this notice. Meanwhile, the Bluetooth Special Interest Group published a safety message here.
The attack targets blatant weaknesses in the key setup process that occurs just before connecting two devices. The Bluetooth specification allows keys to be up to 16 bytes or 1 byte long. The lower limit, the researchers said, has been set in part to comply with "international encryption requirements".
The result: All Bluetooth-compliant devices must negotiate the length of the key they use to encrypt the connection. A master device may first propose a 16-byte key, and the slave device may respond that it can only use a one-byte key. This trivializes the key to a size that is trivial with brute-force techniques that try to guess every possible combination until the right one is found.
As if that was not bad enough, this key has the length negotiation that is done through the Link Manager protocol is not encrypted or authenticated. Negotiation is also completely opaque for apps and operating systems. As a result, the key that encrypts the keystrokes and other sensitive data can be protected by a trivially creakable 1-byte key without a user being able to easily determine it.
The researchers: Daniele Antonioli of the Singapore University of Technology and Design; Nils Ole Trinkhauer from the CISPA Helmholtz Center for Information Security; and Kasper B. Rasmussen of Oxford University have developed two types of attacks to exploit these weaknesses. The first is a remote technique in which the attacker uses a custom Bluetooth device to perform an active man-in-the-middle attack on two connection devices, which the researchers call Alice and Bob. The goal of the MitM attack: The devices must agree on a 1-byte key marked K C
. Researchers wrote:
Alice's Bluetooth host prompts for activation (set encryption) Alice's Bluetooth controller accepts local requests and wirelessly starts negotiating the encryption key with Bob's Bluetooth controller, capturing Alice's proposed key entropy This simple replacement works because LMP is neither encrypted nor protected by integrity Bob's controller accepts 1 byte The attacker intercepts Bob's acceptance message and changes it to a 1 byte entropy proposal Alice thinks Bob 16 Byte entropy not supported and 1 byte accepted The attacker intercepts the Alice acknowledgment message and discards it Finally, the controllers of Alice and Bob compute the same K & # 39; C with one byte of entropy and inform their respective hosts that the link layer cipher is activated.
where the attacker is called Charlie:
The other attack variant maliciously changes some bytes in the firmware of one of the devices. The change causes the device to negotiate a maximum key size of 1 byte. Basically, the other device has no choice but to accept.
A Question of Technical Effort
The researchers did not perform the man-in-the-middle attack via radio. However, you have rooted a Nexus 5 device to perform a firmware attack. Based on the response of the other device – a Motorola G3 – the researchers said both attacks would work.
"This attack setup is much more reliable than an over-the-air attack," wrote researcher Daniele Antonioli, emailing the firmware version. "It makes it possible to quickly test whether a new device is vulnerable and to demonstrate to the examiners that the KNOB attack is a real threat with high impact. The implementation of the same attack by radio is only a matter of technicality. "
KNOB has attracted a lot of attention since its release earlier this week. Many people used social media to explain that Bluetooth was damaged by this new attack. Theoretically, this is likely to be the case, and that means that relying on end-user Bluetooth is probably not a good idea to protect vital data.
Lesley Carhart, the chief threat hunter of security company Dragos, wrote this in an email:
The implemented security of Bluetooth devices for consumers was always at best dubious. However, the decision to use Bluetooth devices should depend on personal risk management and the threats to which we are exposed individually. For example, it may be far more convenient for an adversary to install a keylogger on a remote computer than to launch a wireless attack in physical proximity. For most people, accepting bluetooth security as a deterrent is an acceptable risk. For people who work in crowded areas sensitive, Bluetooth keyboards can generally be unwise.
It is also important to note the hurdles that have kept the researchers from actually carrying out their tasks over-the-air attack in their lab. Had the over-the-air technique been easy, they would almost certainly have done so.
Dan Guido, a mobile security expert and CEO of security company Trail of Bits, said, "This is a terrible mistake, even though it's hard to exploit in practice, it requires local proximity, perfect timing, and a clear signal Both peers must be fully MITM-enabled to change the key size and exploit this error, I will apply the patches available and continue to use my Bluetooth keyboard. "
This will preserve the firmware version of the attack, but it will his own steep challenges. In practice, either the supply chain needs to be manipulated, or physical access to a target device must be made, the firmware changed, and any signs of tampering eliminated.
You also need to use the security alert from The Bluetooth Special Interest Group said:
For an attack to be successful, an attacking device must be within radio range of two vulnerable Bluetooth devices that establish a BR / EDR connection. If one of the devices does not have the vulnerability, the attack is unsuccessful. The attacking device would have to intercept, manipulate and retransmit the key length negotiation messages between the two devices while blocking transmissions from both devices within a tight time window. If the attacking device was able to successfully shorten the length of the encryption key used, it would have to perform a brute force attack to crack the encryption key. In addition, the attacking device must repeat the attack each time the encryption is activated because the negotiation of the encryption key size takes place each time.
The result is that there is a reason to believe that Bluetooth is even more insecure than Thought before, but this KNOB is not the kind of attack we'll likely see in a Starbucks soon. That does not mean that in-the-wild attacks will never happen. For the moment, users should apply patches, if available, and not worry too much about using Bluetooth for occasional things like streaming audio. At the same time, it may not be a bad idea to worry about transferring really sensitive data about how to disconnect from Bluetooth.