The vulnerability, assigned as CVE-2019-9506, resides in the way 'encryption key negotiation protocol' lets two Bluetooth BR/EDR devices choose an entropy value for encryption keys while pairing to secure their connection.
Referred to as the Key Negotiation of Bluetooth (KNOB) attack, the vulnerability could allow remote attackers in close proximity to targeted devices to intercept, monitor, or manipulate encrypted Bluetooth traffic between two paired devices.
The Bluetooth BR/EDR (Basic Rate/Enhanced Data Rate, also known as "Bluetooth Classic") is a wireless technology standard that has typically been designed for relatively short-range, continuous wireless connection such as streaming audio to headsets or portable speakers.
From the security point of view, the core specification of Bluetooth BR/EDR protocol supports encryption keys with entropy between 1 and 16 bytes/octets, where the higher value means more security.
However, researchers find that the entropy negotiation, which devices perform over the Link Manager Protocol (LMP), is neither encrypted nor authenticated, and can be hijacked or manipulated over-the-air.
How Does Bluetooth BR/EDR Key Negotiation Vulnerability Work?
The newly discovered Bluetooth vulnerability could allow a remote attacker to trick two targeted devices into agreeing on an encryption key with only 1 byte (8 bits) of entropy, eventually making it easy to brute-force the negotiated encryption keys.
"For example, assume that there are two controllers attempting to establish a connection: Alice and Bob. After authenticating the link key, Alice proposes that she and Bob use 16 bytes of entropy. This number, N, could be between 1 and 16 bytes. Bob can either accept this, reject this and abort the negotiation, or propose a smaller value," explains an advisory published by the CERT Coordination Center.
"Bob may wish to propose a smaller N value because he (the controller) does not support the larger amount of bytes proposed by Alice. After proposing a smaller amount, Alice can accept it and request to activate link-layer encryption with Bob, which Bob can accept."
However, by exploiting the reported vulnerability "an attacker, Charlie, could force Alice and Bob to use a smaller N by intercepting Alice's proposal request to Bob and changing N."
Once decrypted, the attacker can passively capture encrypted messages being transmitted over the Bluetooth traffic, decrypt the ciphertext and inject valid valid ciphertext, all in real-time and stealthy.
Besides this, it is also important to note that, for an attack to be successful:
- both Bluetooth devices must be establishing a BR/EDR connection,
- both Bluetooth devices must be vulnerable to this flaw,
- the attacker should be able to block direct transmissions between devices while pairing, and
- the attack must be performed during negotiation or renegotiation of a paired device connection; existing sessions cannot be attacked.
Moreover, the official advisory released by Bluetooth.com also says, "Since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet."
Affected Vendors/Software/OS and Patch Updates
This vulnerability was discovered by a team of researchers including Daniele Antonioli from SUTD, Dr. Nils Ole Tippenhauer from CISPA and Prof. Kasper Rasmussen from the University of Oxford.
"We evaluate the KNOB attack on more than 14 Bluetooth chips from different vendors such as Intel, Broadcom, Apple, and Qualcomm. All the chips accept 1 byte of entropy except the Apple W1 chip that accepts (at least) 7 bytes of entropy," the researchers said in a detailed paper [PDF] released yesterday.
To mitigate KNOB attack, the maintainers of the Bluetooth specifications have strongly recommended device manufacturers and software vendors to enforce a minimum encryption key length of 7 octets for BR/EDR connections.
To patch this vulnerability, various affected vendors have already started releasing security updates for their operating systems, firmware, and software, including: