Presentation is loading. Please wait.

Presentation is loading. Please wait.

USENIX 2019 @ Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli1, Nils.

Published byRachel Charles Modified over 5 years ago

Similar presentations

Presentation on theme: "USENIX 2019 @ Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli1, Nils."— Presentation transcript:

1 USENIX Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli1, Nils Ole Tippenhauer2, Kasper Rasmussen3 1Singapore University of Technology and Design (SUTD) 2CISPA Helmholtz Center for Information Security 3University of Oxford Presenter: Jaemin Shin Slides mostly borrowed from Daniele Antonioli Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR 1

2 Bluetooth - Pervasive wireless technology for personal area networks
- E.g., mobile, automotive, medical, and industrial devices Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 2

3 This paper not about BLE, but about Bluetooth Classic!
BLE (Bluetooth Low Energy) - Started at Bluetooth 4.0 specification - Open source implementation available in Linux drivers - Security at various perspectives has been explored on BLE - Mike Ryan, Bluetooth: With Low Energy comes Low Security (USENIX WOOT ‘13) - Kassem Fawaz, Kyu-Han Kim, Kang G. Shin, Protecting Privacy of BLE Device Users (USENIX Security ‘16) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

4 This paper not about BLE, but about Bluetooth Classic!
Bluetooth BR/EDR (or Classic) - Open but complex specification - No public reference implementation - Unexplored!! - Uses custom security mechanisms at the link layer Basic Rate / Extended Data Rate Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 4

5 Bluetooth Security Mechanisms
Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 5

6 Bluetooth Security Mechanisms
Elliptic Curve Diffie Hellman Challenge-response authentication Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 5

7 Bluetooth Security Mechanisms
Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 5

8 Bluetooth Security Mechanisms
Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 5

9 Bluetooth Security Mechanisms
Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 5

10 Encryption Key Negotiation Of Bluetooth (KNOB)
- Paired devices negotiate an encryption key ( ) upon connection Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

11 Encryption Key Negotiation Of Bluetooth (KNOB)
- Paired devices negotiate an encryption key ( ) upon connection Bluetooth allows with 1 byte of entropy and does not authenticate Entropy Negotiation Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

12 Our Contribution: Key Negotiation Of Bluetooth (KNOB) Attack
- Our Key Negotiation of Bluetooth (KNOB) attack sets N=1, and brute forces - Affects any standard compliant Bluetooth device (architectural attack) - Allows to decrypt all traffic and inject valid traffic - Runs in parallel (multiple links and piconets) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

13 KNOB Attack Stages Alice and Bob securely pair in absence of Eve
Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

14 KNOB Attack Stages Alice and Bob securely pair in absence of Eve
Alice and Bob initiate a secure connection Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

15 KNOB Attack Stages Alice and Bob securely pair in absence of Eve
Alice and Bob initiate a secure connection Charlie makes the victims negotiate an encryption key with 1 byte of entropy Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

16 KNOB Attack Stages Alice and Bob securely pair in absence of Eve
Alice and Bob initiate a secure connection Charlie makes the victims negotiate an encryption key with 1 byte of entropy Charlie eavesdrop the ciphertext and brute force the key in real time Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

17 Bluetooth Entropy Negotiation
- Entropy negotiation is neither integrity protected nor encrypted - N between 1 and 16 Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR LMP 7

18 Adversarial Bluetooth Entropy Negotiation
- Charlie sets N=1 ( ’s entropy), LMP is neither integrity protected nor encrypted Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR LMP 8

19 Brute Forcing the Encryption Key in Real Time
- Alice and Bob use an encryption key ( ) with 1 Byte of entropy - Charlie brute forces within 256 candidates (in parallel) space when entropy is 1 byte - AES-CCM: 0x xff - E0: (0x xff) x 0x00e275a0abd218d4cf928b9bbf6cb08f Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Brute force 9

20 - Attacker decrypts a file exchanged over an encrypted Bluetooth link
KNOB Attack Scenario - Attacker decrypts a file exchanged over an encrypted Bluetooth link - Victims: Nexus 5 and Motorola G3 - Attacker: ThinkPad X1 and Ubertooth (Bluetooth sniffer) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 10

21 Vulnerable chips and devices (Bluetooth 5.0, 4.2)
Bluetooth chip Device(s) Vulnerable? Bluetooth Version 5.0 Snapdragon 845 Galaxy S9 Snapdragon 835 Pixel 2, OnePlus 5 C Apple/USI 339S00428 MacBookPro 2018 Apple A1865 iPhone X Bluetooth Version 4.2 Intel 8265 ThinkPad X1 6th Intel 7265 ThinkPad X1 3rd Unknown Sennheiser PXC 550 Apple/USI 339S00045 iPad Pro 2 BCM43438 RPi 3B, RPi 3B+ BCM43602 iMac MMQA2LL/A = Entropy of the encryption key ( ) reduced to 1 Byte Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 11

22 Vulnerable chips and devices (Bluetooth 4.1 and below)
Bluetooth chip Device(s) Vulnerable? Bluetooth Version 4.1 BCM4339 (CYW4339) Nexus5, iPhone 6 C Snapdragon 410 Motorola G3 Bluetooth Version ≤ 4.0 Snapdragon 800 Intel Centrino Chicony Unknown Broadcom Unknown Broadcom Unknown Apple W1 LG G2 ThinkPad X230 ThinkPad KT ThinkPad 41U5008 Anker A AirPods C C C C C * C= Entropy of the encryption key ( ) reduced to 1 Byte * = Entropy of the encryption key ( ) reduced to 7 Byte The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli Evaluation 12

23 KNOB in Bluetooth core spec v5.0 (page 1650)
“For the encryption algorithm, the key size (N) may vary between 1 and 16 octets (8-128 bits). The size of the encryption key is configurable for two rea- sons. The first has to do with the many different requirements imposed on cryptographic algorithms in different countries - both with respect to export regulations and official attitudes towards privacy in general. The second reason is to facilitate a future upgrade path for the security without the need of a costly redesign of the algorithms and encryption hardware; increasing the effective key size is the simplest way to combat increased computing power at the opponent side.” id=421043 Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 13

24 KNOB Attack Disclosure and Countermeasures
- We did responsible disclosure with CERT and Bluetooth SIG (CVE ) - KNOB discovery in May 2018, exploitation and report in October 2018 - Many industries affected, e.g., Intel, Broadcom, Qualcomm, ARM, and Apple - Legacy compliant countermeasures - Set 16 bytes of entropy in the Bluetooth firmware - Check N from the host (OS) upon connection - Security mechanisms on top of the link layer - Non legacy compliant countermeasures - Secure entropy negotiation with KL (ECDH shared secret) - Get rid of the entropy negotiation protocol Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 14

25 Related Work The security and privacy guarantees of Bluetooth were studied since Bluetooth v1.0. Several attacks on the Secure Simple Pairing (SSP) protocol Several attacks on various implementations of Bluetooth (Android, iOS, Windows, Linux) Several attacks on security of the ciphers used by Bluetooth  KNOB attack works regardless of security guarantees / target platform / cipher ! Dennis Mantz et al., InternalBlue – Bluetooth Binary Patching and Experimental Framework (ACM MobiSys 2019) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 14

26

27

28

29

30

31

32 The most important capabilities of InternalBlue are: • modifying arbitrary memory regions including Read Only Memory (ROM), • run arbitrary code in the context of the running firmware, • send arbitrary HCI commands to the chip, • establish connections to non-visible devices, and • enable monitor mode and injection for the Link Manager Protocol (LMP). We perform the following security demos and contributions with InternalBlue: • test for user interaction behavior of pairing devices without input and output capabilities [29], • test for a known ECDH pairing vulnerability [13], • Media Access Control (MAC) address filter within LMP to improve security, • emulation framework to fuzz malicious payloads and trace their call graph, and • discovery of a severe security vulnerability (CVE ) that allows to crash various Broadcom Bluetooth firmwares and execute a subset of functions within them.

33 Discussion Using the attack over-the-air is not easy
Both devices need to be Bluetooth BR/EDR An attacker would need to be within range of the devices while they are establishing a connection. “The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window” The encryption key would need to be successfully shortened and then brute forced to crack the decryption key. The attacker would need to repeat this attack every time the devices paired. Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 14

34 We propose the Key Negotiation Of Bluetooth (KNOB) attack
Conclusion We propose the Key Negotiation Of Bluetooth (KNOB) attack - Reduces the entropy of any encryption key to 1 Byte, and brute forces the key - Affects any standard compliant Bluetooth device (architectural attack) - Allows to decrypt all traffic and inject valid traffic - Runs in parallel (multiple links and piconets) We implement and evaluate the KNOB attack - 14 vulnerable chips (Intel, Broadcom, Apple, and Qualcomm) - 21 vulnerable devices Provide effective legacy and non legacy compliant countermeasures For more information visit: Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Conclusions 15

35 Thanks for your time! Any Questions?
Conclusion We propose the Key Negotiation Of Bluetooth (KNOB) attack - Reduces the entropy of any encryption key to 1 Byte, and brute forces the key - Affects any standard compliant Bluetooth device (architectural attack) - Allows to decrypt all traffic and inject valid traffic - Runs in parallel (multiple links and piconets) We implement and evaluate the KNOB attack - 14 vulnerable chips (Intel, Broadcom, Apple, and Qualcomm) - 21 vulnerable devices Provide effective legacy and non legacy compliant countermeasures For more information visit: Thanks for your time! Any Questions? Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Conclusions 15

Download ppt "USENIX 2019 @ Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli1, Nils."

Similar presentations

Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.

Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.

Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.

“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.

Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Network Security David Lazăr.

Network Security David Lazăr.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.

Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Similar presentations

Ads by Google