The vulnerability resides in the way devices choose an entropy value for encryption keys while establishing a connection: an attacker in close proximity to the victim’s device could intercept or manipulate encrypted Bluetooth traffic between two paired devices.



Researchers at the Singapore University of Technology and Design, CISPA Helmholtz Center for Information Security, and University of Oxford disclosed a new attack they called Key Negotiation of Bluetooth (KNOB) that affects every device released before 2018 (and potentially some released after) because of an issue with the Bluetooth protocol itself.
This attack can be used to make it easier to brute-force the encryption keys used by the devices.

KNOB (CVE-2019-9506) was discovered by researchers in 2018 and affects 17 unique Bluetooth chips made by Qualcomm, Apple, Intel, and Chicony: it's also possible that it affects every Bluetooth device, due the problem lies with Bluetooth architecture itself:

We call our attack the Key Negotiation of Bluetooth (KNOB) Attack. Because this attack affects basically all devices that "speak Bluetooth", we decided to coordinate public disclosure with industry to try to make sure that workarounds could be put in place.
In November 2018 we shared details of the attack with the Bluetooth Special Interest Group (Bluetooth SIG)—the standards organisation that oversees the development of Bluetooth standards—as well as the CERT Coordination Center and the International Consortium for Advancement of Cybersecurity on the Internet (ICASI)—an industry led coordination body founded by Intel, Microsoft, Cisco, Juniper and IBM.

https://knobattack.com/


The research team


Technical paper and PoC

Researchers releases a technical paper, and a PoC:

Requirements

  • Rooted Nexus 5 running the internalblue/android_bluetooth_stack/nexus5_android6_0_1/bluetooth.default.so Android Bluetooth stack
  • Laptop running a Linux based OS
  • Wireshark

Perform the KNOB attack

  1. Connect the Nexus 5 to your laptop via USB
  2. Install our modified internalblue v0.1 by opening a terminal and cd'ing into internalblue and running sudo python2 setup.py install
  3. Open a terminal and run internalblue
  4. From the internalblue prompt start LMP monitoring with monitor lmp start
    • A Wireshark window should pop up
    • If from the terminal you get a bunch of error messages including Error: unrecognized option -mthumb you should close the Wireshark window and internalblue, uncomment line 116 in internalblue/internalblue/core.py to trigger a custom exception, and restart from step 2 (installation).
  5. Pair a target Bluetooth device with the Nexus 5
  6. Start a connection from the Nexus 5 to the target device. In other words the Nexus 5 has to be the master and should send the first LMP_encryption_key_size_req packet. We have other internalblue patches to perform the same attack when the Nexus 5 is the slave, it is just a matter of sending the correct LMP packet format.
  7. On Wireshark you should see that the Nexus (Bluetooth master) negotiating encryption keys with 1 byte of entropy (like what happens from packet 121 to packet 127 in our sample pcap file. Note that our sample pcap was captured before the release of any KNOB attack patch.
  8. Check if the target device is vulnerable
    • Android (tested only on a Pixel 2): If the target device sends first an LMP_accept (in response to an LMP_start_encryption_req) and then an LMP_detach message due to security reasons then the target device is patched against the KNOB attack.
  9. Close Wireshark and internalblue


Which devices are vulnerable?

Researcher disclosed attack to industry in late 2018, so every device released or updated after that date should be already patched:

The KNOB attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack.
After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices.

So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed.


References