Researchers have demonstrated a serious weakness in the Bluetooth wireless standard that could allow hackers to intercept keystrokes, address books, and other sensitive data sent from billions of devices.
Dubbed Key Negotiation of Bluetooth—or KNOB for short—the attack forces two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection. Attackers within radio range can then use commodity hardware to quickly crack the key. From there, attackers can use the cracked key to decrypt data passing between the devices. The types of data susceptible could include keystrokes passing between a wireless keyboard and computer, address books uploaded from a phone to a car dashboard, or photographs exchanged between phones.
KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself. That means, in all likelihood, that the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.
“The Key Negotiation Of Bluetooth (KNOB) attack exploits a vulnerability at the architectural level of Bluetooth,” the researchers wrote in a research paper published this week. “The vulnerable encryption key negotiation protocol endangers potentially all standard compliant Bluetooth devices, regardless [of] their Bluetooth version number and implementation details. We believe that the encryption key negotiation protocol has to be fixed as soon as possible.”
While people wait for the Bluetooth Special Interest Group—the body that oversees the wireless standard—to provide a fix, a handful of companies has released software updates that patch or mitigate the vulnerability, which is tracked as CVE-2019-9506. The fixes include:
The attack targets glaring weaknesses in the key set-up process that occurs just prior to two devices connecting. The Bluetooth specification allows keys to have lengths of as many as 16 bytes or as few as 1 byte. The lower limit, the researchers said, was put in place in part to comply with “international encryption regulations.”
The result: all Bluetooth-compliant devices are required to negotiate the length of the key they will use to encrypt the connection. A master device may start out proposing a 16-byte key, and the slave device may respond that it’s only capable of using a 1-byte key. With that, the key will be downgraded to a size that’s trivial to crack using brute-force techniques, which attempt to guess every possible combination until the correct one is found.
As if that wasn’t bad enough, this key-length negotiation—which occurs over something known as the Link Manager Protocol—isn’t encrypted or authenticated. The negotiation is also completely opaque to apps and OSes. As a result, the key encrypting the keystrokes and other sensitive data may be protected by a trivially crackable 1-byte key, with no easy way for a user to even know.
The researchers—Daniele Antonioli of Singapore University of Technology and Design, Nils Ole Tippenhauer of CISPA Helmholtz Center for Information Security, and Kasper B. Rasmussen with the University of Oxford—have devised two attack variations to exploit these weaknesses. The first is a remote technique in which the attacker uses a custom Bluetooth device to perform an active man-in-the-middle attack on two connecting devices (the researchers call these devices Alice and Bob). The goal of the MitM attack: cause the devices to agree on a 1-byte key notated as K‘C.
The researchers wrote:
Alice’s Bluetooth host requests to activate (set) encryption. Alice’s Bluetooth controller accepts the local requests and starts the encryption key negotiation procedure with Bob’s Bluetooth controller over the air. The attacker intercepts Alice’s proposed key entropy and substitutes 16 with 1. This simple substitution works because LMP is neither encrypted nor integrity protected. Bob’s controller accepts 1 byte. The attacker intercepts Bob’s acceptance message and changes it to an entropy proposal of 1 byte. Alice thinks that Bob does not support 16 bytes of entropy and accepts 1 byte. The attacker intercepts Alice’s acceptance message and drops it. Finally, the controllers of Alice and Bob compute the same K‘C with one byte of entropy and notify their respective hosts that link-layer encryption is on.
Below is a corresponding diagram, where the attacker is named Charlie:
The other other attack variation maliciously modifies a few bytes in the firmware of one of the devices. The modification causes the device to negotiate a maximum key size of 1-byte. In essence, the other device has no choice but to accept.
A matter of engineering effort
The researchers didn’t carry out the man-in-the-middle attack over the air. They did, however, root a Nexus 5 device to perform a firmware attack. Based on the response from the other device—a Motorola G3—the researchers said they believe that both attacks would work.
“This attack setup is much more reliable than an over-the-air attack,” researcher Daniele Antonioli wrote in an email, referring to the firmware variation. “It allows us to quickly test if a new device is vulnerable, and it was sufficient to demonstrate to the reviewers that the KNOB attack is a real, high-impact threat. Implementing the same attack over the air is only a matter of engineering effort.”
KNOB has received a large amount of attention since it was disclosed earlier this week. Many people took to social media to declare Bluetooth has been broken by this new attack. Theoretically, it probably has, and that means depending on consumer-grade Bluetooth to protect vitally sensitive data is probably not a good idea.
Lesley Carhart, principal threat hunter at the security firm Dragos, put it this way in an email:
The implemented security of consumer Bluetooth devices has always been dubious at best. However, deciding whether to use Bluetooth devices should depend on personal risk management and the threats we face individually. For example, it may be far more practical for an adversary to install a keylogger on a remote computer than launch a wireless attack within physical proximity. For most people, accepting that Bluetooth security is only a deterrent will be an acceptable risk. For people who do sensitive work in crowded areas, Bluetooth keyboards might be unwise in general.
It’s also important to note the hurdles—namely the cost of equipment and a surgical-precision MitM—that kept the researchers from actually carrying out their over-the-air attack in their on laboratory. Had the over-the-air technique been easy, they almost certainly would have done it.
Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits, said: “This is a bad bug, although it is hard to exploit in practice. It requires local proximity, perfect timing, and a clear signal. You need to fully MitM both peers to change the key size and exploit this bug. I’m going to apply the available patches and continue using my bluetooth keyboard.”
That still leaves the firmware variation of the attack, but that, too, comes with its own steep challenges. In a real-world setting, it would require either tampering in the supply-chain or getting physical access to a targeted device, making changes to the firmware, and then removing all signs of tampering.
What’s more, the security notice from the Bluetooth Special Interest Group said:
For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection. If one of the devices did not have the vulnerability, then the attack would not be successful. The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window. If the attacking device was successful in shortening the encryption key length used, it would then need to execute a brute force attack to crack the encryption key. In addition, the attacking device would need to repeat the attack each time encryption gets enabled since the encryption key size negotiation takes place each time.
The upshot of all this is that the there’s reason to think that Bluetooth is even more insecure than previously believed but that KNOB isn’t the type of attack we’re likely to see performed anytime soon at a Starbucks. That’s not to say that in-the-wild attacks will never occur. For now, people should apply patches where available and not worry too much about using Bluetooth for casual things, such as streaming audio. At the same time, it might not be a bad idea to start thinking about weening yourself off Bluetooth when transmitting truly sensitive data.