A group of vulnerability testing researchers has revealed a new method to break Bluetooth’s encryption key negotiation protocol; the attack, dubbed ‘Key Negotiation of Bluetooth’ (KNOB) is possible on any device that supports the Bluetooth protocol and has required an early response from Google security teams for correction.
Researchers Kasper Rasmussen and Daniele
Antonioli, from Oxford University, were tasked with revealing this
vulnerability during a recent cybersecurity event in California, USA.
According to vulnerability testing experts, the
attack consists of using brute force to exploit a weakness in the firmware of a
Bluetooth chip, allowing hackers to deploy a Man-in-The-Middle
(MiTM) by injecting specially designed packets. As a result, threat actors
could gain access to other parts of the compromised system to extract sensitive
information. Experts tested this attack method on 17 Bluetooth chips embedded
in Apple, Broadcom, Intel and Qualcomm devices, and claim that the attack was
successful in each model analyzed.
It is not required to know the encryption keys
of the pairing to complete the attack, mention the specialists, because this
works by making users trust an encryption key of only 1 byte of entropy, which
makes it very unsafe and susceptible to suffer bouts of brute force. It should
be noted that most Bluetooth connections use longer keys, but the protocol does
not verify possible changes in key entropy.
Negotiation to determine entropy is done using
the protocol known as Link Manager Protocol (LMP); during negotiation, the
first device suggests key length for encryption, while the second is to accept
the proposed key. In case an attacker finds a way to intercept the negotiation
process to alter the length of the suggested key, both devices will use the
shortest key length. Subsequently, using a brute force attack you can easily
decrypt encryption keys, access information exchange and even inject valid
encrypted messages in real time.
Vulnerability testing experts mention that such
an attack requires the use of special devices, such as Bluetooth protocol
analyzers, as well as an efficient brute force script. Although the complexity
of this attack is considerable, experts mention that it is fully functional in practice.
As if it wasn’t enough risk, it’s even possible to perform a firmware attack
against only one of the victims, using backdoors or chips not authorized by
manufacturers.
Researchers reported these vulnerabilities to
organizations responsible for strengthening the security of this connection
protocol, such as the Bluetooth Special Interest Group (SIG), before disclosing
their research to the public. According to vulnerability testing specialists
from the International Institute of Cyber Security (IICS), embedded Bluetooth
device manufacturers will release their security updates to fix these flaws as
soon as possible.
