The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR

Abstract

We present an attack on the encryption key negotiation protocol of Bluetooth BR/EDR. The attack allows a third party, ithout knowledge of any secret material (such as link and ncryption keys), to make two (or more) victims agree on an ncryption key with only 1 byte (8 bits) of entropy. Such low ntropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, nd inject valid encrypted messages (in real-time). The attack s stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant ecause all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not ecure the key negotiation protocol. As a result, the attacker ompletely breaks Bluetooth BR/EDR security without being etected. We call our attack Key Negotiation Of Bluetooth (KNOB) attack.

The attack targets the firmware of the Bluetooth chip because the firmware (Bluetooth controller) implements all he security features of Bluetooth BR/EDR. As a standardcompliant attack, it is expected to be effective on any firmware hat follows the specification and on any device using a vulnerable firmware. We describe how to perform the KNOB ttack, and we implement it. We evaluate our implementation n more than 14 Bluetooth chips from popular manufacturers such as Intel, Broadcom, Apple, and Qualcomm. Our esults demonstrate that all tested devices are vulnerable to he KNOB attack. We discuss countermeasures to fix the luetooth specification and its implementation.