| Name |
Key Negotiation of Bluetooth Attack (KNOB) |
|
| Likelyhood of attack |
Typical severity |
| Low |
High |
|
| Summary |
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication. |
| Prerequisites |
Person in the Middle network setup. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Discovery] Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process. |
- Use packet capture tools.
|
| 2 |
Experiment |
[Change the entropy bits] Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded. |
|
| 3 |
Exploit |
[Capture and decrypt data] Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device. |
|
|
| Solutions | Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-285 |
Improper Authorization |
| CWE-425 |
Direct Request ('Forced Browsing') |
| CWE-693 |
Protection Mechanism Failure |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-115 |
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. |
| CAPEC-148 |
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes. |
|