This week at USENIX three
researchers published information about a new attack against classic Bluetooth.
Known as KNOB, the attack takes advantage of a
weakness in the Bluetooth specification to force target Bluetooth connections
to use 8-bit encryption keys instead of larger keys that would be resilient
against brute-force attack.
This weakness in classic Bluetooth (not Bluetooth Low Energy) is a big one. I
don’t recall seeing such a significant vulnerability in Basic Rate Bluetooth
security since pairing was improved with the introduction of Secure Simple
Pairing in Core
v2.1 in 2007.
One of the things that intrigued me when I heard about the KNOB attack this
week was that it sounded very familiar. After chatting with Dominic Spill,
we’re pretty sure we discussed the potential for this attack about ten years
ago. I’m fairly certain that I had highlighted Encryption Key Size Request in
a printed copy of the specification around that time.
What we didn’t have back then was a way to test for this vulnerability. The
specification allows for devices to reject key sizes they consider too small,
and I guessed at the time that vendors would enforce a more reasonable minimum
key size than the smallest (1 byte) allowed by the specification. As
demonstrated this week by Daniele Antonioli, Nils Ole Tippenhauer, and Kasper
I was wrong!
In order to test this attack it is necessary to modify the behavior of the Link
Manager, the part of a Bluetooth chip that creates logical links with other
Bluetooth devices. The Link Manager Protocol (LMP) is the low layer protocol
that Link Managers use to communicate with one another and negotiate things
including encryption for protection of higher layer protocols. LMP messages
are not visible over the Host Controller Interface (HCI) that carries
information between a Bluetooth chip and an application processor. If you only
have the ability to control a Bluetooth chip by modifying an Operating System
driver, you can alter behavior at the HCI level but not the LMP level. Ten
years ago I was working on creating tools for monitoring Bluetooth signals, and
I used off-the-shelf Bluetooth adapters for security testing, but I didn’t have
any tools capable of active attacks below the HCI layer.
Last year things changed when Dennis Mantz released
InternalBlue along with his award
Dennis reverse engineered the firmware of a popular Bluetooth chip and with
InternalBlue provided a method to alter the firmware, enabling modification of
Link Manager behavior for the first time. Since then Dennis and Jiska Classen
have published a series of papers and
demonstrating powerful uses of this important tool.
It was InternalBlue that enabled the KNOB researchers to test attacks against
key size negotiation for the first time. They used InternalBlue to implement a
man-in-the-middle attack that inserted requests for a key size of one byte and
successfully demonstrated the attack against nearly every Bluetooth device they
tested. This weakness existed in the Bluetooth specification for twelve years,
but nobody had tools to test it. Once a tool became available, KNOB was
discovered within a year.
Another tool used by the KNOB researchers was Ubertooth One,
the open source Bluetooth monitoring platform I designed almost a decade ago.
They used Ubertooth One to eavesdrop on encrypted packets in order to prove the
weakness of the encryption after forcing a key size of one byte. They
correctly point out in their paper that Ubertooth One lacks an effective
ability to follow the hopping sequence of classic Bluetooth connections (it is
better at this with Bluetooth Low Energy, thanks to Mike
Ryan), but they worked around that problem by
capturing a single packet and then iterating over all possible
clock values to interpret the packet. This ingenuity allowed them to use the
low cost Ubertooth One instead of a Bluetooth analyzer costing tens of
thousands of dollars.
The KNOB researchers demonstrated that Wright’s Law still holds true after
all these years:
“Security will not get better until tools for practical exploration of the attack surface are made available.” –Josh Wright