Researchers have broken Bluetooth’s encryption key negotiation protocol using an attack they’ve called KNOB – Key Negotiation Of Bluetooth. The vulnerability affects almost all devices that support Bluetooth, but Google has already announced patches for Android devices.
The vulnerability was reported in a paper given at this year’s USENIX Security Symposium in California. The researchers, Kasper B. Rasmussen from Oxford University, Daniele Antonioli of Singapore University of Technology, and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security, gave a paper on how a brute-force attack can be used to target a weakness in the firmware of a Bluetooth chip to let hackers set up a man-in-the-middle attack using packet injection. The attack can then be used to gain access to sensitive data.
The researchers say the attack can be carried out without any knowledge of encryption keys, and the way it works is to make Bluetooth users rely an encryption key with only 1 byte of entropy – keys that are one character long. While such keys do secure a Bluetooth-paired connection, they’re susceptible to a brute-force attack. Most Bluetooth connections would use a longer key, but Bluetooth doesn’t check for changes in the entropy of encryption keys, and the pre-pairing stage isn’t encrypted.
The entropy negotiation is performed over the Link Manager Protocol (LMP), and it is transparent to the Bluetooth users because LMP packets are managed by the firmware of the Bluetooth chips and they are not propagated to higher layers. In the negotiation, the first device suggests a key length for encryption, and the second device accepts whatever key length is suggested. This means that if an attacker finds a way to intercept the non-encrypted negotiation and alter the key length, the devices will both use the shorter key. The attacker can then use brute force to crack the negotiated encryption keys, decrypt the information being exchanged, and inject valid encrypted messages in realtime.
The attack goes undetected because the encryption key negotiation is transparent to the Bluetooth users, and is:
“standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected.”
Implementing such an attack would require devices such as a Bluetooth protocol analyzer along with a brute force script. It would still be difficult to difficult such an attack, but the researchers said it would also be possible for a firmware attack where the firmware of the Bluetooth chip of a single victim would be compromised using techniques such as backdoors, supply-chain implants, or rogue chip manufacturers.
Before giving the paper, the researchers had explained their findings to the Bluetooth Special Interest Group (SIG) along with other bodies including the the International Consortium for Advanced Cybersecurity on the Internet. SIG says it has updated the Bluetooth Core Specification to recommend the use of encryption keys with a minimum of 7 bytes of entropy. Manufacturers of devices using Bluetooth are putting out updates.
The researchers tested 17 Bluetooth chips from Apple, Broadcom, Chicony, Intel and Qualcomm, and found they were all susceptible to attack. The full list can be read online.
At the time of writing, Blackberry included a patch for its Android devices in June, and Google included the patch in its August 5 Android update.