CyberWire Daily - Bluetooth blues: KNOB attack explained. [Research Saturday]
Episode Date: September 14, 2019A team of researchers have published a report titled, "KNOB Attack. Key Negotiation of Bluetooth Attack: Breaking Bluetooth Security." The report outlines vulnerabilities in the Bluetooth standard, al...ong with mitigations to prevent them. Daniele Antonioli is from Singapore University of Technology and Design, and is one of the researchers studying KNOB. He joins us to share their findings. The research can be found here: https://knobattack.com Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
I was looking at the main security procedures of Bluetooth.
That's Daniel Antoniale.
He's from Singapore University of Technology and Design. The research we're discussing today is titled
Knob Attack, Key Negotiation of Bluetooth Attack,
Breaking Bluetooth Security.
There is a pairing that is a security procedure that is used to establish like a long-term secret between two devices that have never met before.
And then once you pair two devices, you can connect them, right?
So Bluetooth is a technology that uses like a pair once, connect multiple times paradigm.
Bluetooth is a technology that uses like a pair once, connect multiple times paradigm.
You pair your new pair of headphones with your laptop and then you pair them once and then you connect them multiple times each time you want to use them.
And actually, each time you connect these devices, there is a key negotiation protocol going on
that is used by the devices to negotiate a session key
that might be used for, for example, for encryption. And then I had a look at the
specification of this protocol and there are two main problems in this protocol.
The first problem is that the key negotiation allows the devices to negotiate an entropy value for the new
session key.
And this entropy value can be as low as one byte.
And one byte of entropy means that an attacker can brute force the key basically in real
time.
It has to guess one value in a set of 256 values. So this is the first major issue. And the second
issue of the geonegotiation of Bluetooth is the fact that the protocol is not
protected. It is not integrity protected and it is not encrypted. And this means
that an attacker who is in Bluetooth range with two victims, two Bluetooth devices that are running
this protocol, can first of all observe the packets and it can also manipulate the content
of the packet.
And given that there is no message integrity check, these packets basically are not authenticated,
then the attacker can let any two Bluetooth TIC teams negotiate an encryption key
with one byte of entropy. Is there any indication of what the historical reason is for this key
negotiation process where they can negotiate the amount of entropy? Well, yeah, the specification
is provided two main reasons. The first one is to cope with international regulations of cryptographic standards.
So, for example, if you want to export some cipher in a different country, you have to
cope with the regulation that is in that country.
And the second motivation is given by the specification is to cope with an attacker who has more computational power.
But actually the specification is not including in the threat model the fact that an attacker can also downgrade the entropy through this key negotiation protocol.
I guess it was supposed to be used to increase
the entropy of the key over the years. But an attacker may very well downgrade the entropy
of the encryption key.
So help me understand here. Let's say that, for example, I have paired my keyboard to my computer. I have a Bluetooth keyboard
and I've connected it to my computer and they went through an initial pairing routine.
Yeah.
So in that process, they would have established a certain amount of entropy in their key negotiation.
Are we correct so far?
Well, there is not really a key negotiation protocol in the pairing phase
That in the pairing phase you establish a different key that is called the link key
It is a long term key and this key has 16 bytes of entropy and the attacker
doesn't have to observe the pairing phase and does not have to possess any information, any pre-shared secret that resulted from the pairing phase.
This is an important point that I tried to explain multiple times.
covering the Danube attack and they are reporting that the attack is conducting in the pairing phase while instead the attack is conducting in another phase
which is the connection connection phase regardless of what was exchanged during
the pairing phase. Now that's interesting because I mean it does that mean that
the the encryption used in the pairing phase doesn't really matter for this attack?
Yes, because in the end, in the collection phase, you are generating a weak key,
regardless of the strength of the key that you had generated previously during pairing.
So even if the key generating while pairing has 16 bytes of entropy,
the attacker can downgrade the encryption key, that is a different key,
and get a key with one byte of entropy.
And that communication is happening in the clear?
Yes.
And is that a standard for Bluetooth?
Is it possible to communicate using encryption with Bluetooth,
or does the standard always have things going back and forth in the clear?
Well, so Bluetooth supports link layer encryption mechanisms,
but before activating the encryption, you need an encryption key.
And this is how they decided to design the key negotiation
thing. It's not protected, it's not integrity protected, it is not
encrypted, and these are the consequences. So let's walk through together what an
attack would look like. Again, let's say that, for example, I had a Bluetooth keyboard connected to my computer
and you were someone who wanted to get in
and do the bad things you wanted to do.
How would you go about doing that?
Yeah, so the attacker can, of course,
has to be in Bluetooth range with the two devices
and you can start eavesdropping the communications
between these two devices and you can start eavesdropping the communications between these two devices.
And once you try to connect your keyboard with your laptop, there is this key negotiation
going on and the attacker has to intercept messages that are responsible for this entropy
negotiation part of the protocol. And the attacker basically performs a standard bend in the middle attack
and let the two victims negotiate one byte of entropy.
Now, once that has happened, is it possible for the attacker to stay in the middle?
In other words, I'm using my keyboard and I don't know that there's anything wrong but you're monitoring everything that I do well
yeah yeah that's not it to stay in the middle because once he left the victim
negotiate the no entropy key then he has to simply wait and continues dropping
the the packets that will be encrypted with a
weak key and then the attacker can use the ciphertext as an oracle to brute
force the key. And once the attacker gets access to the key then the game is over.
All the security guarantees provided by Bluetooth and the link layer are defeated.
This means that the attacker then can decrypt all the packets that are exchanged between your
keyboard and your laptop, and potentially
a powerful attacker can also inject valid packets
in the encrypted session. How easy is it to
achieve this sort of thing? Is this an easy attack, or does it
take quite a bit of work?
Well, it depends on the skills of the attacker. But if, let's say that there is a Bluetooth
engineer that is familiar with testing Bluetooth connections and sending packets,
Bluetooth packets, custom Bluetooth packets over the app, I guess that someone with those skills can pull off the attack.
It is more a matter of engineering effort, I guess.
And what are the mitigations that are available for this?
Well, yeah, when we did responsible disclosure with the Bluetooth consortium and CERT,
we provided them a set of countermeasures,
both legacy-compliant and non-legacy compliant ones. A legacy compliant countermeasure is to fix the entropy value
to 16, that is the maximum entropy value allowed by the standard. And this requires modifications
in the firmware of the devices. Because another important point
about the NOB attack is the fact that it is stealthy. The end user is not notified
about the encryption key, it is not notified about the entropy of the encryption key,
because this protocol is spoken between the radio chip and it is implemented in
the firmware of the radio chip.
So one way to mitigate the attack is to hard code 16 as the maximum and minimum allowed
value for the entropy of the encryption key and then you will end up negotiating always
the maximum amount of energy.
Otherwise the mitigation that actually was also put in place by some
vendors, such as, I guess, Microsoft, Apple, and Android, is to check from the operating
system of the device, and not from the firmware, but from the operating system of your device,
check the amount of entropy that was negotiated. And then according to some
threshold then you can tear down the connection.
Yeah, I was curious about that. So it is possible to have a fix for this
from the operating system side. So you might not necessarily have to update
firmware on your keyboard or your headphones or other devices.
Yes, yes. That's what actually happened for some operating systems
like Microsoft, Android, and macOS, I guess also iOS.
In your estimation, what is the seriousness of this?
How much should folks be concerned about it?
Well, I guess, in my opinion, it's a very serious attack
because it is a standard compliant attack.
If your attack is standard compliant, then regardless the Bluetooth version of the devices, regardless the implementers of the devices, then any standard compliant device might be potentially vulnerable.
So I guess that it is a pretty serious concern.
serious concern. Now, suppose I'm someone who's in charge of security at my organization, what steps should I be taking to make sure that we are prepared to defend against this sort of attack?
Oh yeah, that's a very good question. I guess that you should check if your operating system
was already patched to address the NO nov attack if not maybe not use bluetooth to
exchange sensitive information that's one thing that you can do i i guess part of the concern
with this is is that there are so many legacy devices out there um you know it's hard for me
to imagine people updating their their headphones or their keyboards or things like that.
I'm trying to think of it, or even their cars.
I'm trying to think of examples where Bluetooth is used in an environment where it's not likely that an operating system is going to be updated or things like that.
Yeah, yeah, that's true.
But still, you need to have two victims,
and maybe your smartphone is more modern than your car, and the smartphone can detect that the Novotak is going on, for example.
So if one of the two victims has a patchable operating system, then you might mitigate the threat.
So take us through the process of responsible disclosure with this.
Yeah, sure. So, we discovered the vulnerability in May 2018, and we sent them our report and our proof of concept code.
And they took our work seriously.
We presented the work in August 2019
after almost one year of embargo.
And so the organization had time to evaluate what you had done,
come up with mitigations,
and then spread that to all of the interested parties yeah exactly so yes
we gave like ethical hackers let's say like this and we gave more than enough
time because usually you have to give I guess six months but we gave like ten
months the industry to react and also also we coordinated with them about the security patches.
Now, have there been any reports of anyone using this technique beyond your research?
As far as I know, no.
Our thanks to Daniel Antonioli from the Singapore University of Technology and Design for joining us.
The research is titled Knob Attack, Key Negotiation of Bluetooth Attack, Breaking Bluetooth Security.
You can find more on their website, knobattack.com.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, And I'm Dave Bittner.
Thanks for listening.