Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution, enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Daniele Antonioli: [00:01:53] I was looking at the main security procedure itself.
Dave Bittner: [00:01:57] That's Daniele Antonioli. He's from Singapore University of Technology and Design. The research we're discussing today is titled, "KNOB Attack – Key Negotiation of Bluetooth Attack: Breaking Bluetooth Security."
Daniele Antonioli: [00:02:11] There is a pairing that is a security procedure that is used to establish, like, a long-term secret between two devices that had never met before...
Dave Bittner: [00:02:21] Hmm.
Daniele Antonioli: [00:02:23] ...And then once you pair two devices, you can connect them, right? So little pieces of technology that uses, like, a pair once, connect multiple times paradigm. You pair your new pair of headphones with your laptop, and then you've paired them once, and then you connect them multiple times each time you want to use them. And actually, each time you connect these devices, there is a key negotiation protocol going on that is used by the devices to negotiate a session that might be used, for example, for encryption.
Daniele Antonioli: [00:02:57] And then I had a look at the specification of these protocols. And there are two main problems in this protocol. The first problem is that the key negotiation allows the devices to negotiate an entropy value for the new session key. And this entropy value can be as low as one byte. And one byte of entropy means that an attacker can brute force the key physically in real time. It has to guess one value in a set of 256 values. So this is the first major issue.
Daniele Antonioli: [00:03:35] And the second issue of the key negotiation of Bluetooth is the fact that the protocol is not protected. It is not integrity protected and it is not encrypted. And this means that an attacker who is in range, in Bluetooth range, with the two victims – two Bluetooth devices that are running this protocol – can first of all, observe the packets, and he can also manipulate the content of the packets. And given that there is no message intended to check, these packets basically have not authenticated, then the attacker can let any two Bluetooth victims negotiate an encryption key with one byte of entropy.
Dave Bittner: [00:04:15] Hmm. Is there any indication – what the historical reason is for this key negotiation process where they can negotiate the amount of entropy?
Daniele Antonioli: [00:04:28] Well, yeah. The specification is providing two main reasons. The first one is to cope with international regulations of cryptographic standards. For example, if you want to export some cipher in a different country, you have to cope with the regulation that is in that country. And the second motivation that is given by the specification is to cope with an attacker who has more computational power. But actually, the specification is not including the fact that an attacker can also downgrade the entropy through this key negotiation protocol. I guess it was supposed to be used to increase the entropy of the key over AES. But an attacker may very well downgrade the entropy of the encryption key.
Dave Bittner: [00:05:25] So, help me understand here. If I – let's say that, for example, I have paired my keyboard to my computer. I have a Bluetooth keyboard and I've connected it to my computer. And they went through an initial pairing routine...
Daniele Antonioli: [00:05:39] Yeah.
Dave Bittner: [00:05:41] ...And so, in that process, they would have established a certain amount of entropy in their key negotiation. Correct so far?
Daniele Antonioli: [00:05:50] Well, there is not really a key negotiation protocol in the pairing phase. In the pairing phase, you establish a different key that is called the "link key." It is a long-term key. And this key has 16 bytes of entropy. And the attacker doesn't have to observe the pairing phase and does not have to possess any information – any pre-shared secret – that resulted from the pairing phase. This is an important point that, yeah, I tried to explain multiple times and also there are some media articles covering the attack and they are reporting that the attack is conducted in the pairing phase, while instead the attack is conducted in another phase – this is the connection, the connection phase – regardless of what was exchanged during the pairing phase.
Dave Bittner: [00:06:45] Now, that's interesting, because, I mean – does that mean that the encryption used in the pairing phase doesn't really matter for this attack?
Daniele Antonioli: [00:06:55] Yes, because in the end, in the connection phase, you are generating a weak key, regardless of the strength of the key that you had generated previously during pairing. So even if the pairing – even if the key generated while pairing has 16 bytes of entropy, the attacker can downgrade the encryption key – that is a different key – and get a key with one byte of entropy.
Dave Bittner: [00:07:25] And that communication is happening in the clear.
Daniele Antonioli: [00:07:28] Yes.
Dave Bittner: [00:07:30] And is that a standard for Bluetooth? Is it possible to communicate using encryption with Bluetooth, or is the standard always have things going back and forth in the clear?
Daniele Antonioli: [00:07:41] Well, so Bluetooth supports link-layer encryption mechanisms, but before activating the encryption, you need an encryption key. And this is how they decided to design the key negotiation thing. It's not protected, it's not integrity protected, it is not encrypted, and these are [INAUDIBLE].
Dave Bittner: [00:08:06] So, let's walk through together what an attack would look like. Again, let's say that, for example, I had a Bluetooth keyboard connected to my computer and you were someone who wanted to get in and do the bad things you wanted to do – how would you go about doing that?
Daniele Antonioli: [00:08:23] Yeah. So the attacker can, of course, has to be in Bluetooth range of the two devices, and he can start eavesdropping the communications between these two devices. And once you try to connect your keyboard with your laptop, there is this key negotiation going on, and the attacker has to intercept the messages that are responsible for this entropy negotiation part of the protocol. And the attacker physically performs a standard man-in-the-middle attack and lets the two victims negotiate one byte of entropy.
Dave Bittner: [00:09:02] Now, once that has happened, is it possible for the attacker to stay in the middle, for – in other words, I'm using my keyboard and I don't know that there's anything wrong, but you're monitoring everything that I do.
Daniele Antonioli: [00:09:16] Well, yeah, the attacker then does not need to stay in the middle, because once he lets the victim negotiate the low-entropy key, then he has to simply wait and continues dropping the packets that would be encrypted with a weak key, and then the attacker can use the ciphertext as an oracle to brute force the key. And once the attacker gets access to the key, then the game is over – all the security guarantees provided by Bluetooth at the link layer are defeated. This means that the attacker then can recreate all the packets that are exchanged between your keyboard and your laptop, and potentially a powerful attacker can also inject valid packets in the encrypted session.
Dave Bittner: [00:10:06] How easy is it to achieve this sort of thing? Is this an easy attack, or does it take quite a bit of work?
Daniele Antonioli: [00:10:13] Well, it depends on the skills of the attacker. But if – let's say that there is a Bluetooth engineer that is familiar with testing Bluetooth connections and sending packets – Bluetooth packets, capturing Bluetooth packets over the air – I guess that, yes, someone with those skills can pull off the attack. It is more a method of engineering effort, I guess.
Dave Bittner: [00:10:39] And what are the mitigations that are available for this?
Daniele Antonioli: [00:10:42] Well, yeah. We – when we did the responsible disclosure with the Bluetooth consortium and CERT, we provided them a set of countermeasures, both legacy compliant and long legacy compliant ones. A legacy compliant countermeasure is to fix the entropy value to 16 – that is the maximum entropy value allowed by the standard. And these required modifications in the firmware of these devices. Because another important point about the KNOB attack is the fact that these are stealthy. The end user is not notified about the encryption key, he's not notified about the entropy of the encryption key, because this protocol is spoken between the radio chip, and it is implemented in the firmware of the radio chip. So one way to mitigate the attack is to article 16 as the maximum and minimum allowed then for the entropy of encryption key, and then it will end up negotiating always the maximum amount of it.
Daniele Antonioli: [00:11:49] Otherwise, a mitigation that actually was also put in place by some vendors – such as, I guess Microsoft, Apple, and Android – is to check from the operating system of the of the device and not from the from the firmware, but from the operating system of your device check the amount of entropy that was negotiated, and then according to some threshold, then you can tear down the connection.
Dave Bittner: [00:12:15] Yeah, I was curious about this. So it is possible to have a fix for this from the operating system side. So you might not necessarily have to update firmware on your keyboard or your headphones or other devices.
Daniele Antonioli: [00:12:29] Yes. That's what actually happened for some operating systems like Microsoft, Android, macOS, I guess also iOS.
Dave Bittner: [00:12:40] What, in your estimation, what is the seriousness of this? How much should folks be concerned about it?
Daniele Antonioli: [00:12:48] Well, I guess in my opinion, this is a very serious attack because it is a standard-complaint attack. If your attack is standard-compliant, then regardless the Bluetooth version of the devices, regardless the implementers of the devices – any standard-compliant device might be potentially vulnerable. So I guess it is a pretty serious concern.
Dave Bittner: [00:13:08] Now, suppose I'm someone who's in charge of security at my organization, what steps should I be taking to make sure that we are prepared to defend against this sort of attack?
Dave Bittner: [00:13:20] Oh, yeah, that's a very good question. I guess that you should check if your operating system is already patched to address the KNOB attack. If not, maybe not use Bluetooth to exchange sensitive information. That's one thing that you can do.
Dave Bittner: [00:13:40] I guess part of the concern with this is that there are so many legacy devices out there. You know, it's hard for me to imagine people updating their headphones or their keyboards or things like that. I'm trying to think of – even their cars. I'm trying to think of examples where Bluetooth is used in an environment where it's not likely that an operating system is going to be updated or things like that.
Daniele Antonioli: [00:14:04] Yeah. Yeah. That's true. But still, you need to have two victims, and maybe your smartphone is more modern than your car, and the smartphone can detect the KNOB attack is going on. So, if one of the victims has a patchable operating system, then you might mitigate the threat.
Dave Bittner: [00:14:28] So, take us through the process of responsible disclosure with this.
Daniele Antonioli: [00:14:33] Yeah, sure. So, we discover that vulnerability in May 2018, and then we've wrote the first exploit around October 2018. And then we contacted the Bluetooth Special Interest Group and CERT, and we sent them our report and our proof-of-concept code. And they took our work seriously. We presented the work in August 2019, after almost one year of embargo.
Dave Bittner: [00:15:07] And so, the organization had time to evaluate what you had done, come up with mitigations, and then spread that to all of the interested parties.
Daniele Antonioli: [00:15:16] Yeah, exactly. So, yes, we behaved like ethical hackers, let's say it like this, and we gave more than enough time. Because usually, you have to give, I guess, six months, but we gave, like, ten months for the industry to react, and also we coordinated with them about the security patches.
Dave Bittner: [00:15:37] Now, have there been any reports of anyone using this technique beyond your research?
Daniele Antonioli: [00:15:43] As far as I know, no.
Dave Bittner: [00:15:49] Our thanks to Daniele Antonioli from the Singapore University of Technology and Design for joining us. The research is titled, "KNOB Attack – Key Negotiation of Bluetooth Attack: Breaking Bluetooth Security." You can find more on their website, knobattack.com. We'll have a link in the show notes.
Dave Bittner: [00:16:07] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:16:16] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:16:24] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carol Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.