Those who’re aware with BR/EDR technology (also known as Bluetooth Classic) can confirm that it is not flawless. Similar to any other piece of software or hardware technology present in market, its worth comes with imperfections, even if you have purchased best Bluetooth speakers or other Bluetooth devices.
Singapore University of Technology released their research paper on a category of brute-force attack termed as KNOB or Key Negotiation of Bluetooth. KNOB marks and exploits a flaw in the firmware of a device’s Bluetooth that permits hackers to do a Man-in-the-Middle (MiTM) attack and reveal or drip sensitive information.
The Bluetooth vulnerability that Key Negotiation of Bluetooth (KNOB) target is known as CVE-2019-9506. As stated by the paper, Bluetooth chips produced by Broadcom, Intel, Qualcomm and Apple are weak to KNOB attacks.
What causes a KNOB attack?
The investigators have revealed two conditions that permit successful KNOB attacks.
First of all, Bluetooth characteristically lets the use of password that has a least length of 1 byte, which can clutch one character. Ponder of this 1 character PIN. Such a password would have low entropy—means it would be without difficulty guessed or predictable. Though low entropy keys can still have a Bluetooth connection safe, hackers can effortlessly dodge them with a brute-force attack.
Investigators said that the one-byte lower perimeter was put in place to follow worldwide encryption rules.
And, secondly, Bluetooth characteristically does not see alterations in entropy, which happens when both devices start to transfer the key size to encode their link. The worst thing is that this pre-pairing part isn’t encrypted. The device getting the pairing request receives the low entropy key.
Basically, this leaves handlers guessing that they are exchanging their sensitive data safely with a paired device through what they supposed was a safe connection—but unfortunately it is not. And there is no technique to see this.
How does it work?
The investigators applied their attack through an illustration of individuals named Bella, Jack, and Sara, with the first two as possible targets and the last as the attacker.
- Bella, who in this sample, is the holder of the main device—the Bluetooth device trying to start a safe connection with a different Bluetooth device—sends a pairing request to Jack, who is the holder of the slave device. A main device can join up with many slaves, but in this case, we will only use one, which is Jack’s.
- Earlier the two devices are paired; Bella and Jack must first settle on an encryption key to use to safe their connection. This is where the concession happens. Bella would like her and Jack to use an encryption key with entropy of 16 bytes.
- Sara, the attacker, interrupts this application and alters the entropy of 16 bytes to one byte prior to sending to Jack.
- Jack gets the altered request with 1 byte of entropy and sends an approval message back to Bella.
- Sara interrupts the approval message and alters it to a suggestion to use an encryption key with one byte entropy.
- Bella gets the altered proposal and agrees the use of an encryption key with 1 byte and sends an approval message to Jack.
- Sara drops the approval message from Bella because, to the Jack’s knowledge, he didn’t send any message to Bella.
- The coupling between Bella’s and Jack’s devices is successful.
Unluckily, Bella and Jack would have no clue that they’re depending on on a poorly-encrypted Bluetooth connection that Sara can effortlessly intrude while they exchange information.
Although these may perhaps sound very simple, it is highly improbable that we will see somebody doing this type of attack—targeted or unplanned —in places like ice-cream parlors and airports. Executing an effective KNOB over-the-air attack needs certain costly devices, like a finely-tuned brute force script and a Bluetooth protocol analyzer. It is also extremely hard to do an over-the-air attack, which is why the investigators accepted to selecting for an inexpensive, simpler, and more trustworthy means of analyzing the efficiency of a KNOB attack in their imitations.
We have shared a list of devices with their status on KNOB attack
Android Open Source Project – Status: Affected
Apple– Status: Affected
Broadcom– Status: Affected
Cypress Semiconductor– Status: Affected
Dell– Status: Affected
Google– Status: Affected
Intel– Status: Affected
QUALCOMM Incorporated– Status: Affected
Dell EMC– Status: Not Affected
Microsoft– Status: Not Affected
RSA Security LLC– Status: Not Affected
Bluetooth SIG– Status: Unknown
Linux Kernel– Status: Unknown