Bluetooth is a ubiquitous technology for low power wireless communications. Bluetooth runs on billions of devices, including mobile, wearables, home automation, smart speakers, headsets, industrial and medical appliances, and vehicles. As a result, Bluetooth’s attack surface is huge and includes significant threats such as identity thefts, privacy violations, and malicious device control.
Bluetooth is a complex technology specified in an open standard. The standard defines two wireless stacks Bluetooth “classic” BR/EDR for high throughput services (e.g., audio and voice) and Bluetooth Low Energy (BLE) for very low power services (e.g., localization, and monitoring). The standard defines security mechanisms to protect Bluetooth communications. Those mechanisms include pairing to share a long term key among two devices, and secure session establishment to let two paired devices negotiate session keys. It is paramount that those standard security mechanisms provide security guarantees that they promise, such as confidentiality, authenticity, and integrity of data. A single vulnerability in a standard security mechanism translates into billions of exploitable devices.
This talk describes how we managed to find and exploit standard-compliant 0-days in the Bluetooth standard. We describe, in detail, the Bluetooth security architecture, including its main components (Host, Controller) and protocols (HCI, LMP, and SMP). Then we talk about the Key Negotiation of Bluetooth (KNOB) attack on Bluetooth “classic” BR/EDR [CVE-2019-9506] and its extension to BLE. The KNOB attacks are enabled by standard-compliant 0-days in the key negotiation protocols of Bluetooth “classic” BR/EDR and BLE. In particular, those protocols allow to negotiate keys with very low entropy (strength), and they do not protect the integrity of entropy negotiation. Using the KNOB attack, a man-in-the-middle attacker can force a Bluetooth “classic” BR/EDR session key to 1 byte of entropy, and a BLE long term key to 7 bytes of entropy. Such low entropy values are unacceptable in 2020 and can easily (for BLE) or trivially (for BR/EDR) be brute-forced.
As a result of our attacks, a remote attacker gets access to private data and inserts valid malicious data on Bluetooth “classic” BR/EDR and BLE secure connection. The exploits are effective on any standard compliant Bluetooth device regardless of software, hardware vendors and versions, Bluetooth version, supported security features, or security mode in use. As a result of our disclosure in 2019, the Bluetooth SIG amended the standard by requiring 7 bytes of entropy as minimum entropy value for Bluetooth BR/EDR (as for BLE). Only some vendors, including Intel, Google, Apple, and Microsoft, patched a subset of their products to address the KNOB attack, and in the talk, we describe some of those patches and why they are not effective. We also describe why the majority of low-end devices that we tested remains vulnerable to the 1-byte entropy downgrade. We conclude the talk describing the main lessons that we learned while finding and exploiting Bluetooth standard compliant 0 days.
The KNOB attacks were identified, investigated, and demonstrated by Daniele Antonioli, Nils Tippenhauer, and Kasper Rasmussen, more information at https://knobattack.com.