Bluetooth KNOB Attacks

Aug 20, 2019

In 2019 we disclosed two families of high impact attacks affecting the entropy negotiation protocols of Bluetooth Classic (BC) and Bluetooth Low Energy (BLE). We named the attacks Key Negotiation of Bluetooth (KNOB) attacks. They are tracked as CVE-2019-9506.

Our first work titled The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation of Bluetooth BR/EDR explains how to exploit BC’s entropy negotiation to downgrade the entropy of a Bluetooth security key to 1 byte and then brute-force it.

In a follow-up work titled Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy we analyzed also BLE and found that it is vulnerable as well to the KNOB attacks. In this case the attacker can downgrade the entropy of BLE security key to 7 bytes and then brute-force it.

USENIX Security 2019 Paper Presentation

Bluetooth blues: KNOB attack explained. — Research Saturday

BIAS + KNOB attack against Bluetooth IACR Attacks in Crypto

From Bluetooth Standard to Standard Compliant 0-days Hardwear.io

bluetooth protocol
Daniele Antonioli
Daniele Antonioli
Assistant Professor

Research in cyber-physical and wireless system security

comments powered by Disqus

Related

Publications

D. Antonioli, M. Payer (2022). On the Insecurity of Vehicles Against Protocol-Level Bluetooth Threats. IEEE WOOT.

PDF Cite Code Project Project Slides Video CVE-2019-9506 CVE-2020-10135

D. Antonioli, N. O. Tippenhauer, K. Rasmussen (2020). Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy. ACM TOPS.

PDF Cite Code Project knobattack.com CVE-2019-9506

D. Antonioli, N. O. Tippenhauer, K. Rasmussen (2019). The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation of Bluetooth BR/EDR. USENIX Security.

PDF Cite Code Project Slides Video Website CVE-2019-9506 CyberWire Oxford IR1915

Events

Bluetooth Security and the KNOB Attack on BLE
In this lecture we cover an Introduction about Bluetooth security, its main transports (BC, BLE), procedures (discovery, connect) and logical entities (Host, Controller, HCI). Then we look at Bluetooth security architecture and the specific BC/BLE algorithms and protocols.
Jul 4, 2023 00:00 Cyber in Sophia, Valbonne
Bluetooth Security and the KNOB Attack on BLE
On the (In)securities of Popular Standard and Proprietary Wireless Protocols
This talk covers our recent research on the (in)securities of proprietary and standard wireless security protocols used daily by millions of devices and users. In particular, I will cover the BLUR attacks on Bluetooth, a novel class of threats capable of exploiting Bluetooth Classic from Bluetooth Low Energy and vice versa.
Jun 1, 2023 00:00 Oxford University, CS Dept
On the (In)securities of Popular Standard and Proprietary Wireless Protocols
BIAS and KNOB attacks against Bluetooth BR/EDR/LE
Bluetooth is a ubiquitous technology for low power wireless communications. Bluetooth runs on billions of devices including mobile, wearables, home automation, smart speakers, headsets, industrial and medical appliances, and vehicles. As a result, Bluetooth’s attack surface is huge and includes significant threats such as identity thefts, privacy violations, and malicious device control.
Aug 18, 2020 00:00 IACR WAC workshop co-located with CRYPTO 2020
BIAS and KNOB attacks against Bluetooth BR/EDR/LE