A fresh Bluetooth vulnerability, called “KNOB,” was revealed, allowing attackers to brutalize the encryption key used to monitor or manipulate information transmitted between two pairs of devices easier.
A new vulnerability known as “KNOB,” affecting Bluetooth BR / EDR devices, otherwise known as Bluetooth Classic, with variants 1.0-5.1 has been revealed in a co-ordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), and members of ICASI including Microsoft, Apple, Intel, Cisco and the Amazon.
This error is assigned CVE ID CVE-2019-9506 and enables an attacker to decrease the duration of the encryption key used to connect. In some cases, the length of an encryption key could be reduced to one octet.
“The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used,” stated an advisory on Bluetooth.com. “In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet.”
This decreased key length would make brutalizing the encryption key used by pair machines much easier for an attacker to communicate.
Once the key was known to the attackers, the information sent between machines could be monitored and manipulated. This involves possibly injecting commands, main strokes and other behavioral kinds.
ICASI is unaware that this attack is maliciously used or that any devices to initiate this sort of attack are produced.
This vulnerability has been detected at the USINEJ Security Symposium by Daniele Antonioli of SUTD, Singapore, Dr Nils Ole Tippenhauer, CISPA and Prof. Kasper Rasmussen of the University of Oxford, England. You will also release a document called “The KNOB is Broken: Exploiting Low Entropy in Bluetooth BR / EDR’s Encryption Key Negotiation” on 14 August 2019.
It’s not simple to use the attack.
It is not an simple job to exploit this vulnerability as it needs certain circumstances. This involves:
- Bluetooth BR / EDR must be both instruments.
- An intruder would have to be in the range of the appliances when connecting.
- “The attacking machine needs to intercept, manipulate and transmit key length negotiation emails between the two machines while blocking both transmissions within a limited time window.”
- The encrypt important needs to be reduced effectively and then brute has to break the decryption key.
- Every time the devices are paired, the attacker must repeat this attack.
KNOB vulnerability mitigation.
The Bluetooth specification was updated to recommend a minimum encryption key length of 7 octets for BR / EDR links in order to solve that vulnerability.
“In order to recommend a minimum cryptographic key of 7 octets for the EDR connection, Bluetooth SIG have updated its Bluetooth core specification. In addition, it will include the testing of the new recommendation in our Bluetooth Qualification Programme. Furthermore, Bluetooth SIG highly proposes that product designers update current alternatives to apply a minimum lenght for the encryption core.
When the update is installed, this function must be added into HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth key for Windows, and set to 1.
You then need to switch off Bluetooth, disable and allow the Device Manager Bluetooth device, and switch Bluetooth back on.
The EnableMinimumEncryptionKeySize can be set to 0 to deactivate this mitigation.
Full list of vendors
Below is the full list provided by ICASI of members and partners and whether they are affected:
- A10 Networks: Not Impacted
- Blackberry: http://support.blackberry.com/kb/articleDetail?articleNumber=000057251
- Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190813-bluetooth
- Intel Corporation: Not impacted. Further Information is available here: https://software.intel.com/security-software-guidance/insights/more-information-exploiting-low-entropy-encryption-key-negotiation-bluetooth-bredr
- Johnson Controls: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- Juniper: Not Impacted
- Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9506
- Oracle: Not Impacted
- VMWare: Not Impacted
ICASI USIRP Partners:
- Apple: https://support.apple.com/kb/HT201222
- Lenovo: https://support.lenovo.com/us/en/product_security/LEN-27173
- Bluetooth Special Interest Group: https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth
- CERT CC: https://www.kb.cert.org/vuls/id/918987
- Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506