This week at USENIX three researchers published information about a new attack against classic Bluetooth. Known as KNOB, the attack takes advantage of a weakness in the Bluetooth specification to force target Bluetooth connections to use 8-bit encryption keys instead of larger keys that would be resilient against brute-force attack.

This weakness in classic Bluetooth (not Bluetooth Low Energy) is a big one. I don’t recall seeing such a significant vulnerability in Basic Rate Bluetooth security since pairing was improved with the introduction of Secure Simple Pairing in Core Specification v2.1 in 2007.

One of the things that intrigued me when I heard about the KNOB attack this week was that it sounded very familiar. After chatting with Dominic Spill, we’re pretty sure we discussed the potential for this attack about ten years ago. I’m fairly certain that I had highlighted Encryption Key Size Request in a printed copy of the specification around that time.

What we didn’t have back then was a way to test for this vulnerability. The specification allows for devices to reject key sizes they consider too small, and I guessed at the time that vendors would enforce a more reasonable minimum key size than the smallest (1 byte) allowed by the specification. As demonstrated this week by Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen, I was wrong!

In order to test this attack it is necessary to modify the behavior of the Link Manager, the part of a Bluetooth chip that creates logical links with other Bluetooth devices. The Link Manager Protocol (LMP) is the low layer protocol that Link Managers use to communicate with one another and negotiate things including encryption for protection of higher layer protocols. LMP messages are not visible over the Host Controller Interface (HCI) that carries information between a Bluetooth chip and an application processor. If you only have the ability to control a Bluetooth chip by modifying an Operating System driver, you can alter behavior at the HCI level but not the LMP level. Ten years ago I was working on creating tools for monitoring Bluetooth signals, and I used off-the-shelf Bluetooth adapters for security testing, but I didn’t have any tools capable of active attacks below the HCI layer.

Last year things changed when Dennis Mantz released InternalBlue along with his award winning master’s thesis. Dennis reverse engineered the firmware of a popular Bluetooth chip and with InternalBlue provided a method to alter the firmware, enabling modification of Link Manager behavior for the first time. Since then Dennis and Jiska Classen have published a series of papers and presentations demonstrating powerful uses of this important tool.

It was InternalBlue that enabled the KNOB researchers to test attacks against key size negotiation for the first time. They used InternalBlue to implement a man-in-the-middle attack that inserted requests for a key size of one byte and successfully demonstrated the attack against nearly every Bluetooth device they tested. This weakness existed in the Bluetooth specification for twelve years, but nobody had tools to test it. Once a tool became available, KNOB was discovered within a year.

Another tool used by the KNOB researchers was Ubertooth One, the open source Bluetooth monitoring platform I designed almost a decade ago. They used Ubertooth One to eavesdrop on encrypted packets in order to prove the weakness of the encryption after forcing a key size of one byte. They correctly point out in their paper that Ubertooth One lacks an effective ability to follow the hopping sequence of classic Bluetooth connections (it is better at this with Bluetooth Low Energy, thanks to Mike Ryan), but they worked around that problem by capturing a single packet and then iterating over all possible clock values to interpret the packet. This ingenuity allowed them to use the low cost Ubertooth One instead of a Bluetooth analyzer costing tens of thousands of dollars.

The KNOB researchers demonstrated that Wright’s Law still holds true after all these years:

“Security will not get better until tools for practical exploration of the attack surface are made available.” –Josh Wright

In this presentation at Troopers 2018, Kate Temkin and Dominic Spill used GreatFET One and the Facedancer software framework to demonstrate techniques for reverse engineering embedded USB hosts.

It is often fairly simple to set up an environment for reversing a USB device; you just plug it into a host that you control. Then you can manipulate software on the host to test or monitor USB communications between the host and device. Even if the host operating system doesn’t provide a way for you to monitor USB (hint: it probably does), you can run it inside a virtual machine that runs on top of Linux and use Linux’s usbmon capability.

But how do you sniff USB if the USB host is an embedded platform that you don’t control? What if it is a game console or a photocopier with software that you can’t run in a virtual machine? Kate and Dominic show how you can use GreatFET One and a laptop to proxy USB between a device and a host without controlling software on either the device or the host. With the USBProxy solution they implemented in Facedancer, it is possible not only to monitor USB communication but also to modify USB data in transit.

Additionally they demonstrate how the Facedancer software for GreatFET can be used to emulate a USB device, allowing them to reverse engineer “black box” USB hosts and test them for vulnerabilities.

download video
download slides

On Sunday, Kate Temkin and Mikaela Szekely presented Making USB Accessible: Developing Ultra-low-cost, Open USB Tools at Teardown 2019 in Portland. In this well-received talk, they debuted ViewSB, a USB analyzer that supports various capture backends including GreatFET, OpenVizsla, and usbmon.

In the days leading up to the talk, Kate went on a tear, developing ViewSB to complement the hardware solutions for USB capture that she and Mikaela had been working on. I asked, “Why do we need ViewSB when we already have tools such as PulseView and Wireshark?”

Her answer was that the existing open source software tools for USB analysis don’t present data in a way that is useful enough for USB developers. I recalled my past confusion about USB nomenclature and how the most essential thing I learned from Kate’s training class at hardwaresecurity.training last year had been an understanding of the differences between USB packets, transactions, and transfers. Thinking back to the tools we used in that class, I realized that she was right that a new tool was needed. In fact, the limitations of the existing tools were probably largely responsible for my confusion!

As you can see in this video, ViewSB presents low level USB packet data in a visual format that groups packets together into transactions, something that I had previously seen only in software for proprietary USB analyzers. It makes USB much easier to understand. I wholeheartedly agree with Mikaela and Kate that their work makes USB accessible!

Code used in the presentation can be found in the usb-tools organization on GitHub.

download video
download slides

I recently sat down with Darren Kitchen to record a couple Hak5 episodes. First we introduced GreatFET One to his viewers and demonstrated using its Facedancer capability to emulate a USB device. Then we did some infrared hacking with Gladiolus, a prototype GreatFET neighbor we plan to release later this year. Thanks for having me on the show, Darren!

More students! The TARDIS Team from Sapienza University of Rome, Italy was selected for the [REXUS/BEXUS] (http://rexusbexus.net/) program. The German Aerospace Center (DLR) and the Swedish National Space Agency (SNSA), in collaboration with the European Space Agency (ESA), jointly allow students from universities and higher education colleges across Europe to carry out scientific and technological experiments on research rockets and balloons.

Their experiment, named TARDIS (Tracking and Attitude Radio-based Determination in Stratosphere), will be launched on a balloon in October from Kiruna (Sweden), reaching 30 km of altitude. The experiment’s main objectives are to determine the position and the attitude of the balloon by digital processing of VOR navigation system signals.

And, yes, their acronym, [TARDIS] (https://tardis.s5lab.space/), may have influenced our choice this month!

More students got free stuff in March. The University of Split - Flow Design Team makes autonomous drones and will use their new HackRF One to improve their score in competitions. They will be competing in the [AUVSI SUAS] (http://www.auvsi-suas.org/) again this year. They won the Most Stubborn Team Award last year!

HHSec received an Ubertooth One as the Free Stuff recipients for February. They are a group of students from the Hague University of Applied Sciences and plan to use it in their IoT research. They look like an enterprising team and we are happy to encourage them.

January was a strange month for the freestuff mailbox. We had some pranksters and people who never replied, so we didn’t send anything. Instead, we are going to reopen January for submissions. Starting… now!

If you’d like to be considered to receive free hardware from Great Scott Gadgets, please visit the Free Stuff page and send us a message with lots of details about your project. We have a GreatFET One just dying to escape the lab!

In December, we sent a HackRF One to Jærgruppen av NRRL Norsk Radio Relae Liga, an amateur radio group in southwest Norway. They run radio courses every year and work with their local scouting groups. They hope to use their new HackRF in this year’s JOTA (Jamboree on the Air).

It’s happenning! We started shipping GreatFET One to resellers last week, which means that very soon (probably even today) it will be available for you to order online from your favorite reseller of Great Scott Gadgets products. Hint: if your shop of choice doesn’t carry it yet, let them know you’re interested!

It was January of 2016 when Mike Ossmann gave his firetalk at Shmoocon titled GreatFET: A Preview, in which he explained how he bought the GoodFET project from Travis Goodspeed in a Las Vegas bar for $5. That was the beginning of the project that came to be known (humorously, at first) as GreatFET. At that time, GreatFET One was known as Azalea, and was still in the development stage. Three years and countless hours of engineering, development, and manufacturing effort later, we have completed the first production run.

GreatFET One is a general purpose (and like all of our tools, open source) USB peripheral. When we say it’s general purpose, we mean that there are a whole lot of interesting things a hardware hacker, or maker, or tinkerer can customize it to do, especially through the addition of add-on boards called neighbors. But you don’t need to add anything on to start using this versatile this tool; there is plenty of USB hackery to be accomplished with GreatFET One on its own. Check out what Kate Temkin has been up to over the last year or so!

Very soon, we will also start offering a clear acrylic case and Daffodil, a solderless breadboard neighbour. To learn more about the GreatFET project and to see which resellers are already stocking GreatFET One, visit the GreatFET One product page.