CVE-2019-9506: Bluetooth Devices Vulnerable to Key Negotiation of Bluetooth (KNOB) Attacks

Introduction

On August 14, 2019, a cybersecurity research team comprised of Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen, released a paper regarding a flaw in how Bluetooth enabled devices handle the process of creating an Encryption key used to secure the connection between devices. The vulnerability leads to Key Negotiation of Bluetooth (KNOB) attacks, which can affect any form of Bluetooth connection.

Vulnerability

Bluetooth technology is integrated into many of the devices we own. Today, our phones, keyboards and mice, headphones, vehicles, radios, and even refrigerators come standard with this connectivity option. According to a paper written by Daniele Antonioli and his cybersecurity research team, while Bluetooth connections do encrypt and secure the information flow once the connection is established, information flow is not secured during the encryption key negotiation phase. When Bluetooth enabled devices begin negotiation, each device must agree on how long the encrypting “key” should be (between 1-16 bytes). The key itself is not something the user creates, rather, the Bluetooth devices determine how long that key should be, and then uses this random string of characters to encrypt the information flow. During this phase, a malicious third-party can listen in on this key negotiation conversation and pretend to send legitimate messages on behalf of each party. The KNOB attack affects virtually all Bluetooth devices using version 1.0 to the current 5.1 because it is a flaw in the Bluetooth protocol itself. According to Antonioli, the attacker is not required to have any pre-shared information or be present for the pairing sequence between legitimate users; which is because the key negotiation process is not secured. The KNOB attack is also successful even if legitimate users enable the strongest security mode of Bluetooth, for the same reason as the last point, and the attack is stealthy because the key negotiation phase is not handled by anything else other than the Bluetooth chip and would not trip any system sensors.

Impact

The biggest impact this vulnerability has is the fact that it affects the Bluetooth protocol itself, which means a multitude of devices have the possibility of being vulnerable. In the study conducted by Antonioli and his team, they tested more than 14 different Bluetooth chips and found each to be vulnerable. Chip manufacturers like Broadcom, Qualcomm, Apple, and Intel were named. Attackers that successfully execute a KNOB attack can then intercept any message, while also adding their own malicious packets into the communication, which can lead to more advanced issues like phone and VoIP recording. In another case, such as a Bluetooth keyboard being used with a laptop, an attacker can record every keystroke. This can include emails, documents, and login credentials.

Mitigation

At the time the report was produced, August 2019, it is expected that virtually all Bluetooth devices are vulnerable to this attack. This is due to the fact that allowing 1-byte long keys is a Bluetooth standard. Fixing this issue is reliant on Bluetooth chip manufacturers to implement new security controls to secure user connections. Thusly, be sure to update smartphones and other devices with the latest software patches released by your device manufacturer and regularly check vendor websites for Bluetooth enabled devices that don’t receive scheduled updates. According to a secondary article posted to the Carnegie Mellon CERT Coordination Center’s website, Blackberry and Bluetooth itself (SIG) have rolled out patches. Apple’s support page states this issue has been mitigated with the release of:

• macOS Mojave version 10.14.16 (Released July 22, 2019)
• Security Update 2019-004 (Released July 22, 2019)
  • macOS Sierra version 10.12.6
  • macOS High Sierra version 10.13.6
• watchOS version 5.3 (Released July 22, 2019)
  • Apple Watch Series 1 and later 
• tvOS version 12.4 (Released July 22, 2019)
  • Apple TV 4K and Apple TV HD
• iOS version 12.4 (Released July 22, 2019)
  • iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Additionally, according to Android’s website, this issue was mitigated in Android’s versions 7.0 and higher. This security patch was released on August 05, 2019.

References

“Android Security Bulletin—August 2019.” Retrieved from: source.android.com. 28 Aug 2019.

“Apple security updates.” Retrieved from: support.apple.com. 29 Aug 2019.

“Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks.” Retrieved from: kb.cert.org. 28 Aug 2019.

“The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR.” Retrieved from: usenix.org. 28 Aug 2019.