KNOB Attack Weakens Bluetooth Encryption

Credit: ShutterstockCredit: Shutterstock


It turns out Bluetooth might have more in common with doors than we thought. Researchers disclosed a new attack they called Key Negotiation of Bluetooth (KNOB) that affects every device released before 2018 (and potentially some released after) because of an issue with the Bluetooth protocol itself. This attack can be used to make it easier to brute-force the encryption keys used by the devices.

KNOB was discovered by researchers at the Singapore University of Technology and Design, CISPA Helmholtz Center for Information Security, and University of Oxford in 2018. The researchers said they confirmed that KNOB affects 17 unique Bluetooth chips made by Qualcomm, Apple, Intel, and Chicony. Because the problem lies with Bluetooth itself, however, it lis possible that it affects every Bluetooth device.

The issue specifically lies with the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) Core Configurations, which are used for low-power short-range communications, according to the CERT Coordination Center that handles public vulnerability disclosures. KNOB takes advantage of a flaw in these configurations that allows it to reduce the entropy of the encryption keys used to secure transmissions.

Higher entropy makes it harder for attackers to brute-force an encryption key; lower entropy makes it easier. KNOB enables attackers to lower the entropy of the encryption keys when two Bluetooth devices are figuring out exactly how much entropy the keys should have. CERT likened the process to a proposal where one device (Alice) asks another (Bob) if 16 bytes of entropy would be okay.

This proposal is necessary because not all Bluetooth devices use the same version of the standard, meaning they're supposed to support varying amounts of entropy, and because not all ostensibly standard-compliant devices actually enforce these minimums. If every device just used 16 bytes of entropy things would be hunky-dory. Because they don't, the entropy level is determined via a public exchange.

The problem is that a public exchange can be observed by other devices and, as the researchers proved with the KNOB attack, interfered with. KNOB intercepts Alice's proposal to Bob, sets the entropy level to 1 byte, and then intercepts the response to convince Alice that Bob can only support 1 byte of entropy. Now the encryption keys are more vulnerable to a brute-force attack than they would've been.

Bluetooth SIG said it responded to KNOB by updating the Bluetooth Core Specification to "recommend a minimum encryption key length of 7 octets for BR/EDR connections."  It also plans to start testing against this recommendation for the Bluetooth Qualification Program and said it "strongly recommends that product developers update existing solutions" to enforce the recommended encryption key length.

The researchers who disclosed KNOB said they informed manufacturers of the vulnerability in late 2018. They believe "some vendors might have implemented workarounds for the vulnerability on their devices," but devices that haven't been updated since late 2018 "is likely vulnerable." Updated devices aren't guaranteed to be safe, though, because vendors might not have addressed the issue.

KNOB makes it even more important to install Bluetooth updates as they become available. Knowing the vulnerability is out there but choosing to make devices more vulnerable to attack would be like, well, refusing to replace a broken doorknob. It's an obvious problem with a relatively easy solution--provided tech companies properly respond to its disclosure--that doesn't make any sense to ignore.

1 comment
    Your comment
  • digitalgriffin
    That's a clever attack.

    However modifying the entropy though via injection into the stream I think would be hit or miss.

    The attacker would have to intercept and respond before the two devices do, or force a failure and renegotiate on entropy. This makes it a bit of a random chance.

    So you would have to be there when someone of interest if pairing, and THEN be able to respond before the handshake on entropy completes.