About the KNOB Attack
TL;DR: The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.
Bluetooth is a wireless communication protocol commonly used between low power devices to transfer data, e.g., between a wireless headset and a phone, or between two laptops. Bluetooth communications might contain private and/or sensitive data, and the Bluetooth standard provides security features to protect against someone who wants to eavesdrop and/or manipulate your information. We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to the listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired.
We call our attack the Key Negotiation of Bluetooth (KNOB) Attack. Because this attack affects basically all devices that "speak Bluetooth", we decided to coordinate public disclosure with industry to try to make sure that workarounds could be put in place. In November 2018 we shared details of the attack with the Bluetooth Special Interest Group (Bluetooth SIG)—the standards organisation that oversees the development of Bluetooth standards—as well as the CERT Coordination Center and the International Consortium for Advancement of Cybersecurity on the Internet (ICASI)—an industry led coordination body founded by Intel, Microsoft, Cisco, Juniper and IBM.
Video recording of the KNOB attack presentation at USENIX Security 2019 by Daniele Antonioli:
For more information on affected systems see CVE-2019-9506 . The technical details of the attack are available in our research paper and our slides. Our repository contains the code that we developed to implement and test the KNOB attack, including our PoC and the code for E0.
Are my Devices Vulnerable?
The KNOB attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack.
After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed.
References (not exhaustive): [Bluetooth SIG: Erratum 11838 note] [NVD NIST] [CVE] [CERT] [Intel] [Cypress (login required)] [Android] [Marvell] [Huawei] [Microsoft] [Apple: macOS iOS watchOS] tvOS] [Linux: debian Red Hat Ubuntu] [Github: CVE code CVE issues] [CISCO] [BlackBerry]
Team
The KNOB attack was identified, investigated, and demonstrated by an international team of researchers.
- Daniele Antonioli (Singapore University of Technology and Design)
- Nils Ole Tippenhauer (CISPA Helmholtz Center for Information Security)
- Kasper Rasmussen (University of Oxford)
Media Coverage
- /r/hardware and /r/netsec on Reddit
- #Knob and #KnobAttack on Twitter
- 2019/8/14: bleepingcomputer.com, "New Bluetooth KNOB Attack Lets Attackers Manipulate Traffic" by Lawrence Abrams
- 2019/8/14: Hackernews.com, "New Bluetooth Vulnerability Lets Attackers Spy On Encrypted Connections" by Mohit Kumar
- 2019/8/15: Forbes, "New Critical Bluetooth Security Issue Exposes Millions Of Devices To Attack" by Zak Doffman
- 2019/8/16: The Telegraph, "How hackers could listen to your phone calls through your Bluetooth headset from up to a mile away" by Laurence Dodds
- 2019/8/16: Decipher, "New Attack Exposes Serious Bluetooth Weakness" by Dennis Fisher
- 2019/8/16: HelpNetSecurity, "Critical Bluetooth flaw opens millions of devices to eavesdropping attacks" by Zeljka Zorz
- 2019/8/16: Softpedia News, "Major Bluetooth Security Flaw Discovered, Leaves Millions of Devices Vulnerable" by Marius Nestor
- 2019/8/17: Ars Technica, "New Attack exploiting serious Bluetooth weakness can intercept sensitive data" by Dan Goodin
- 2019/8/18: Tech Xplore, "Specification vulnerability in devices that speak Bluetooth is addressed" by Nancy Cohen
- 2019/8/20: Techtarget, "KNOB attack puts all Bluetooth devices at risk" by Michael Heller
- 2019/9/14: CyberWire, "Interview for the CyberWire Research Saturday podcast" by Dave Bittner
Non-English News
- 2019/8/16: Version2 (Danish), "Sikkerhedshul i Bluetooth lader hackere følge med i dataoverførsler" by Christoffer Elmann Ranhauge
- 2019/8/19: Heise Online (German), "KNOB-Attack: Schwerer Konzeptfehler in Bluetooth" by Dusan Zivadinovic
- 2019/8/22: LA RAZÓN (Spanish), "Los hackers podrían robar datos que se envían vía Bluetooth" by José A. Prados
- 2019/8/26: ANSA (Italian), "Bluetooth, scoperta una falla di sicurezza" by Redazione ANSA
- 2019/8/26: CORCOM (Italian), "Bluetooth, scoperta una “falla”: nel team anche un italiano" by Redazione CORCOM
- 2019/8/27: Corriere della Sera (Italian), "Bluetooth, ricercatore di Pesaro scopre falla nel sistema: «Abbiamo intercettato dati privati»" by Nicola Catenaro
- 2019/8/27: Il Giornale (Italian), "Grave falla nel sistema Bluetooth: ecco cosa si può spiare" by Pina Francone
- 2019/9/17: Wired.it (Italian), "Risolto pericoloso bug di sicurezza nel bluetooth, con un italiano nel team" by Diego Barbera
- 2019/9/21: Start Magazine (Italian), "Chi e come ha scovato una falla nella tecnologia Bluetooth" by Simone Martino