a review of the bias and knob attacks on bluetooth
play

A review of the BIAS and KNOB attacks on Bluetooth Classic and - PowerPoint PPT Presentation

WAC workshop 2020 A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele Antonioli Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy 1


  1. WAC workshop 2020 A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele Antonioli Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy 1

  2. Who Am I • Daniele Antonioli ◮ Postdoc at EPFL ◮ I like cyber-physical and wireless systems, protocol analysis, applied crypto, ... ◮ Twitter: @francozappa ◮ Website: https://francozappa.github.io • I work in the HexHive group led by Mathias Payer ◮ System security e.g., Bluetooth security and DP3T ◮ More: https://hexhive.epfl.ch/ Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Bio 2

  3. BIAS and KNOB attacks on Bluetooth • Key Negotiation Of Bluetooth (KNOB) Attack ◮ Exploits Bluetooth’s key negotiation ◮ CVE-2019-9506: https://www.kb.cert.org/vuls/id/918987/ • Bluetooth Impersonation AttackS (BIAS) ◮ Exploits Bluetooth’s key authentication ◮ CVE-2020-10135: https://kb.cert.org/vuls/id/647177/ • KNOB and BIAS attacks are standard-compliant ◮ Billions of vulnerable devices ◮ E.g. smartphones, laptops, tablets, headsets, cars, . . . Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Outline 3

  4. Talk Outline • Talks has three parts ◮ Part 1: Introduction about Bluetooth and its security mechanisms ◮ Part 2: High level description of the BIAS and KNOB attacks ◮ Part 3: Attacks’ implementation, evaluation and countermeasures • Related work by Nils Tippenhauer, Kasper Rasmussen, and myself ◮ “The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR” [SEC19] ◮ “Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy” [TOPS20] ◮ “BIAS: Bluetooth Impersonation AttackS” [S&P20] Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Outline 4

  5. Part 1: Introduction about Bluetooth Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 5

  6. Bluetooth Classic and Bluetooth Low Energy • Bluetooth ◮ Pervasive wireless communication technology • Bluetooth Classic (BT) ◮ High-throughput services ◮ E.g., audio, voice • Bluetooth Low Energy (BLE) ◮ Very low-power services ◮ E.g., wearables, contact tracing Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 6

  7. Bluetooth Standard • Bluetooth Standard ◮ Complex documents (Bluetooth Core v5.2, 3.256 pages) ◮ Custom security mechanisms (pairing, secure sessions) ◮ No public reference implementation https://www.bluetooth.com/specifications/bluetooth-core-specification/ Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 7

  8. Bluetooth Security: Pairing and Secure Sessions Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 8

  9. Bluetooth Security: Pairing and Secure Sessions Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 8

  10. Bluetooth Security: Pairing and Secure Sessions Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 8

  11. Bluetooth Security: Pairing and Secure Sessions Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 8

  12. Bluetooth Security: Pairing and Secure Sessions Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 8

  13. Bluetooth Security: Pairing and Secure Sessions Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 8

  14. Bluetooth Security: Impersonation and MitM Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 9

  15. Bluetooth Security: Impersonation and MitM Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 9

  16. Bluetooth Security: Impersonation and MitM Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P1: Introduction 9

  17. Part 2: KNOB Attack on BLE Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: KNOB on BLE 10

  18. BLE Pairing Alice (master) Bob (slave) A B Phase 1: Feature exchange (including key negotation) Phase 2: Key establishment and optional authentication Phase 3: Key distribution (over encrypted link) Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: KNOB on BLE 11

  19. Issues with BLE Pairing (Key Negotiation) Alice (master) Bob (slave) A B Phase 1: Feature exchange (including key negotation) Pairing Request: IO, AuthReq, KeySize, InitKey, RespKey Pairing Response: IO, AuthReq, KeySize, InitKey, RespKey • Issues ◮ KeySize negotiation is not protected , i.e. no integrity, no encryption ◮ KeySize values (pairing key strenght) between 7 bytes and 16 bytes Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: KNOB on BLE 12

  20. KNOB Attack on BLE Alice (master) Charlie (attacker) Bob (slave) A C B Phase 1: Feature exchange (including key negotiation) IO, AuthReq, KeySize: 16, InitKeys, RespKeys IO, AuthReq, KeySize: 7 , InitKeys, RespKeys IO, AuthReq, KeySize: 7 , InitKeys, RespKeys IO, AuthReq, KeySize: 16, InitKeys, RespKeys Phase 2: Key establishment and optional authentication Phase 3: Key distribution over encrypted link • KNOB attack on BLE ◮ Downgrade BLE pairing key to 7 bytes of entropy ◮ Session keys will inherit 7 bytes of entropy ◮ Brute-force the session key and break BLE security Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: KNOB on BLE 13

  21. Part 2: BIAS Attack on BT Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on BT 14

  22. BIAS Attacks Introduction • BIAS attacks target BT secure session establishment ◮ Not pairing • Assumptions for Alice and Bob ◮ Securely paired in absence of Charlie ◮ Share a strong pairing key (e.g. 16 bytes of entropy) Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on BT 15

  23. Bluetooth Authentication Mechanisms • Legacy Secure Connection (LSC) authentication ◮ Unilateral, challenge-response • Secure Connection (SC) authentication ◮ Mutual, challenge-response • LSC or SC negotiated during secure session establishment Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on BT 16

  24. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on BT 17

  25. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on BT 17

  26. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on BT 17

  27. Legacy Secure Connection (LSC) Authentication Alice (slave) Bob (master) A B B, LSC A, LSC C B R A = H(C B , A, K L ) R A check Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on LSC 18

  28. Issues with LSC Authentication • LSC authentication is not used mutually for session establishment • A device can switch authentication role Alice (slave) Bob (master) A B B, LSC A, LSC C B R A = H(C B , A, K L ) R A check Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on LSC 19

  29. BIAS Attack on LSC: Master Impersonation Alice (slave) Charlie as Bob (master) A C B, LSC A, LSC C C R A = H(C C , A, K L ) Skip R A check Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on LSC 20

  30. BIAS Attack on LSC: Slave Impersonation Charlie as Alice (slave) Bob (master) C B B, LSC A, Role Switch, LSC Accept Role Switch Charlie is the master (verifier) C C R B = H(C C , B, K L ) Skip R B check Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy P2: BIAS on LSC 21

Recommend


More recommend