The KNOB attack: a vulnerability puts at risk all Bluetooth devices

Key Negotiation of Bluetooth – or KNOB – this is the name of an attack that exploits a recently discovered vulnerability (CVE-2019-9506) that affects the Bluetooth standard and can allow criminals or simple criminals to intercept the flow of communications that takes place between two devices interconnected with each other via the Bluetooth protocol.

The researchers who identified the problem explain: ” The KNOB attack exploits a weakness on the architectural level of the Bluetooth standard. The vulnerability of the encryption key negotiation protocol potentially puts at risk the security of any device that complies with the standard, regardless of the version and implementation details. We believe that the encryption key negotiation protocol should be corrected as soon as possible “.

The KNOB attack targets a specific weakness in the encryption key setup process, which occurs before the two devices connect to each other. The Bluetooth specifications establish that the communications encryption key must be between 1 and 16 bytes in length, with the lower limit set to respond, among other things, to ” international encryption regulations “.

All devices that comply with the Bluetooth standard are called to negotiate the length of the encryption key before establishing the communication channel. The master device can propose a 16-byte key, while the slave device may respond that it can only use a shorter key. In the event that it can only use 1-byte keys, this could be prone to attempts at violation using brute force techniques, which can be carried out quite simply.

The KNOB attack forces two devices to choose a 1-byte encryption key, so that an attacker can easily break the key and listen. Between two devices connected via Bluetooth can pass various information: the phone book that a smartphone shares with the infotainment system of a car, the photographs exchanged between two smarthpones or the text typed by a wireless keyboard, just to give some concrete examples.

The negotiation of the key length is done through the Link Manager Protocol, whose operations are not encrypted or authenticated but are invisible to the app and the operating system: this means that for a user, it is almost impossible to notice the possible attack or to know, which is the length of the encryption key, unless specialized equipment is used.

Given this scenario, the researchers basically outlined two types of attack: one involves modifying the firmware of one of the two devices so that it always imposes a 1 byte long key, the second falls instead into the Man in the Middle and provides for the interposition of the attacker between two Bluetooth devices by forcing the master to adopt a 1 byte key, then allowing the connection between the two devices to be established with this key, violating it later.

The researchers simulated the first type of attack, considered to be easier to put into practice. The simulation took place on 14 different Bluetooth chips, including those of Broadcom, Apple and Qualcomm, and they were all vulnerable.

The attack based on the modification of the firmware requires physical access to the device, which means either the compromise of a batch of devices already in the factory production phases or in any case the violation of a single device if you want to perform a targeted attack.

The second type of attack is even more complex, since it requires the occurrence of different elements. The Bluetooth Special Interest Group, the body that oversees the standard, has issued a note in this regard:

” For an attack to succeed, an attacking device should be in the radio range of two vulnerable Bluetooth devices that are establishing a BR/EDR connection. If one of the two devices is not vulnerable, the attack cannot be successful. Attack device should interrupt, manipulate and retransmit the negotiation messages of the key length between the two devices and at the same time block the messages of both, all in a short time window. If the attack device were successful in reducing the length of the encryption key, it should, then execute a bruteforce attack to violate the key. In addition, addition the attack device should repeat the entire procedure every time encryption is enabled since the encryption key negotiation takes place every time “.

SIG expects the release of a corrective patch and a revision of the standard, but in the meantime a series of realities (Apple, Blackberry, Cisco, Google, Microsoft) has already independently released the software updates necessary to solve or mitigate the problem.

As mentioned, this is an attack that can be conducted in a real scenario but with some difficulty and is quite unlikely to happen in everyday scenarios such as at the bar or in the station. It is a further element that enriches the valid reasons why the Bluetooth connection should be considered unsafe: perhaps suitable for ” casual ” use, such as listening to music, for example: but to avoid in the event that the transmission of sensitive data, especially if you are in crowded areas.

On the other hand, we are talking about a standard born in the 90s, when the concept of security-by-design was a subject that was still underestimated.