Bluetooth is an ubiquitous technology for low power wireless communications. Bluetooth runs on billions of devices including mobile, wearables, home automation, smart speakers, headsets, industrial and medical appliances, and vehicles. As a result, Bluetooth's attack surface is huge, and includes significant threats such as identity thefts, privacy violations, and malicious device control.
Bluetooth is a complex technology specified in an open standard. The standard defines two wireless stacks Bluetooth "classic" BR/EDR for high throughput services (e.g., audio and voice) and Bluetooth Low Energy (BLE) for very low power services (e.g., localization, and monitoring). The standard defines security mechanisms to protect Bluetooth communications. Those mechanisms include pairing to share a long term key among two devices, and secure session establishment to let two paired devices negotiate session keys. It is paramount that those standard security mechanisms provide the security guarantees that they promise such as confidentiality, authenticity, and integrity of data. A single vulnerability in a standard security mechanism translates into billions of exploitable devices.
This talk describes how we managed to find and exploit standard compliant 0-days in the Bluetooth standard. We describe, in detail, the Bluetooth security architecture including its main components (Host, Controller) and protocols (HCI, LMP, and SMP). Then we talk about the Key Negotiation of Bluetooth (KNOB) attack on Bluetooth "classic" BR/EDR [CVE-2019-9506] and its extension to BLE. The KNOB attacks are enabled by standard compliant 0-days in the key negotiation protocols of Bluetooth "classic" BR/EDR and BLE. In particular, those protocols allow to negotiate keys with very low entropy (strength), and they do not protect the integrity of entropy negotiation. Using the KNOB attack, a man-in-the-middle attacker can force a Bluetooth "classic" BR/EDR session key to 1 byte of entropy, and a BLE long term key to 7 bytes of entropy. Such low entropy values are unacceptable in 2020 and can easily (for BLE) or trivially (for BR/EDR) be brute forced.
As a result of our attacks, a remote attacker gets access to private data, and inserts valid malicious data on Bluetooth "classic" BR/EDR and BLE secure connection. The exploits are effective on any standard compliant Bluetooth device regardless of software, hardware vendors and versions, Bluetooth version, supported security features, or security mode in use. As a result of our disclosure in 2019 the Bluetooth SIG amended the standard by requiring 7 byte of entropy as minimum entropy value for Bluetooth BR/EDR (as for BLE). Only some vendors, including Intel, Google, Apple, and Microsoft patched a subset of their products to address the KNOB attack, and in the talk we describe some of those patches and why they are not effective. We also describe why the majority of low-end devices that we tested, remains vulnerable to the 1 byte entropy downgrade. We conclude the talk describing the main lessons that we learnt while finding and exploiting Bluetooth standard compliant 0 days.
The KNOB attacks were identified, investigated, and demonstrated by Daniele Antonioli, Nils Tippenhauer, and Kasper Rasmussen, more information at https://knobattack.com
Daniele Antonioli is a Postdoctoral researcher working with Mathias Payer's
HexHive research group at the EPFL in Switzerland.
Daniele is interested in wireless systems security (e.g., Bluetooth, Wi-Fi, Nearby Connections), cyber-physical systems security (e.g., ICS, MiniCPS, SCADA) and applied cryptography (e.g., secure protocol analysis and reverse engineering).
Daniele holds a PhD in Computer Science from SUTD (Singapore), a MS and BS in Electronics and Telecommunications Engineering from UniBO (Italy). More information about Daniele are in his personal website at https://francozappa.github.io
Mathias Payer is a security researcher and an assistant professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques. All prototype implementations are open-source.
Mathias joined EPFL in 2018 after spending 4 years as assistant professor at Purdue University and 2 years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012. In 2018, he co-founded the EPFL polygl0t CTF team and in 2014, he founded the Purdue b01lers CTF team.