the knob is broken exploiting low entropy in the
play

The KNOB is Broken: Exploiting Low Entropy in the Encryption Key - PowerPoint PPT Presentation

Mar 29, 2023 •225 likes •483 views

USENIX 2019 @ Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD)

  1. USENIX 2019 @ Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2 CISPA Helmholtz Center for Information Security 3 University of Oxford Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR 1

  2. Bluetooth • Bluetooth (BR/EDR or Classic) ◮ Pervasive wireless technology for personal area networks ◮ E.g., mobile, automotive, medical, and industrial devices • Bluetooth uses custom security mechanisms (at the link layer) ◮ Open but complex specification ◮ No public reference implementation Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 2

  3. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  4. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  5. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  6. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  7. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  8. Encryption Key Negotiation Of Bluetooth (KNOB) • Paired devices negotiate an encryption key ( K ′ C ) upon connection Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 4

  9. Encryption Key Negotiation Of Bluetooth (KNOB) • Paired devices negotiate an encryption key ( K ′ C ) upon connection Bluetooth allows K ′ C with 1 byte of entropy and does not authenticate Entropy Negotiation Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 4

  10. Our Contribution: Key Negotiation Of Bluetooth (KNOB) Attack • Our Key Negotiation of Bluetooth (KNOB) attack sets N=1, and brute forces K ′ C ◮ Affects any standard compliant Bluetooth device (architectural attack) ◮ Allows to decrypt all traffic and inject valid traffic ◮ Runs in parallel (multiple links and piconets) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 5

  11. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  12. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve 2 Alice and Bob initiate a secure connection Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  13. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve 2 Alice and Bob initiate a secure connection 3 Charlie makes the victims negotiate an encryption key with 1 byte of entropy Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  14. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve 2 Alice and Bob initiate a secure connection 3 Charlie makes the victims negotiate an encryption key with 1 byte of entropy 4 Charlie eavesdrop the ciphertext and brute force the key in real time Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  15. Bluetooth Entropy Negotiation • Entropy negotiation is neither integrity protected nor encrypted ◮ N between 1 and 16 Alice (controller) Bob (controller) A B LMP: AU RAND LMP: SRES LMP encryption mode req: 1 LMP accept LMP K ′ C entropy: 16 LMP K ′ C entropy: 1 Negot’n LMP accept LMP start encryption: EN RAND LMP accept Encryption key K ′ C has 1 byte of entropy Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR LMP 7

  16. Adversarial Bluetooth Entropy Negotiation • Charlie sets N=1 ( K ′ C ’s entropy), LMP is neither integrity protected nor encrypted Alice (controller) Charlie (attacker) Bob (controller) A C B LMP: AU RAND LMP: AU RAND LMP: SRES LMP: SRES LMP encryption mode req: 1 LMP encryption mode req: 1 LMP accept LMP accept LMP K ′ C entropy: 16 LMP K ′ C entropy: 1 LMP K ′ C entropy: 1 LMP accept Negot’n LMP accept LMP start encryption: EN RAND LMP start encryption: EN RAND LMP accept LMP accept Encryption key K ′ C has 1 byte of entropy Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR LMP 8

  17. Brute Forcing the Encryption Key ( K ′ C ) in Real Time • Alice and Bob use an encryption key ( K ′ C ) with 1 Byte of entropy ◮ Charlie brute forces K ′ C within 256 candidates (in parallel) • K ′ C space when entropy is 1 byte ◮ AES-CCM: 0x00 . . . 0xff ◮ E 0 : ( 0x00 . . . 0xff ) x 0x00e275a0abd218d4cf928b9bbf6cb08f Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Brute force 9

  18. KNOB Attack Scenario • Attacker decrypts a file exchanged over an encrypted Bluetooth link ◮ Victims: Nexus 5 and Motorola G3 ◮ Attacker: ThinkPad X1 and Ubertooth (Bluetooth sniffer) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 10

  19. Vulnerable chips and devices (Bluetooth 5.0, 4.2) Bluetooth chip Device(s) Vulnerable? Bluetooth Version 5.0 Snapdragon 845 Galaxy S9 � Snapdragon 835 Pixel 2, OnePlus 5 � Apple/USI 339S00428 MacBookPro 2018 � Apple A1865 iPhone X � Bluetooth Version 4.2 Intel 8265 ThinkPad X1 6th � Intel 7265 ThinkPad X1 3rd � Unknown Sennheiser PXC 550 � Apple/USI 339S00045 iPad Pro 2 � BCM43438 RPi 3B, RPi 3B+ � BCM43602 iMac MMQA2LL/A � � = Entropy of the encryption key ( K ′ C ) reduced to 1 Byte Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 11

  20. Vulnerable chips and devices (Bluetooth 4.1 and below) Bluetooth chip Device(s) Vulnerable? Bluetooth Version 4.1 BCM4339 (CYW4339) Nexus5, iPhone 6 � Snapdragon 410 Motorola G3 � Bluetooth Version ≤ 4.0 Snapdragon 800 LG G2 � Intel Centrino 6205 ThinkPad X230 � Chicony Unknown ThinkPad KT-1255 � Broadcom Unknown ThinkPad 41U5008 � Broadcom Unknown Anker A7721 � Apple W1 AirPods * � = Entropy of the encryption key ( K ′ C ) reduced to 1 Byte * = Entropy of the encryption key ( K ′ C ) reduced to 7 Byte Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 12

  21. KNOB in Bluetooth core spec v5.0 (page 1650) “For the encryption algorithm, the key size (N) may vary between 1 and 16 octets (8-128 bits) . The size of the encryption key is configurable for two rea- sons. The first has to do with the many different requirements imposed on cryptographic algorithms in different countries - both with respect to export regulations and official attitudes towards privacy in general. The second reason is to facilitate a future upgrade path for the security without the need of a costly redesign of the algorithms and encryption hardware; increasing the effective key size is the simplest way to combat increased computing power at the opponent side .” https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_ id=421043 Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 13

  22. KNOB Attack Disclosure and Countermeasures • We did responsible disclosure with CERT and Bluetooth SIG ( CVE-2019-9506 ) ◮ KNOB discovery in May 2018, exploitation and report in October 2018 ◮ Many industries affected, e.g., Intel, Broadcom, Qualcomm, ARM, and Apple • Legacy compliant countermeasures ◮ Set 16 bytes of entropy in the Bluetooth firmware ◮ Check N from the host (OS) upon connection ◮ Security mechanisms on top of the link layer • Non legacy compliant countermeasures ◮ Secure entropy negotiation with K L (ECDH shared secret) ◮ Get rid of the entropy negotiation protocol Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 14

  23. Conclusion • We propose the Key Negotiation Of Bluetooth (KNOB) attack ◮ Reduces the entropy of any encryption key to 1 Byte, and brute forces the key ◮ Affects any standard compliant Bluetooth device (architectural attack) ◮ Allows to decrypt all traffic and inject valid traffic ◮ Runs in parallel (multiple links and piconets) • We implement and evaluate the KNOB attack ◮ 14 vulnerable chips (Intel, Broadcom, Apple, and Qualcomm) ◮ 21 vulnerable devices • Provide effective legacy and non legacy compliant countermeasures • For more information visit: https://knobattack.com Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Conclusions 15

Recommend

Knob Handler Putting a handle on any knob 2.009 Yellow A Overview Arthritis patients

Knob Handler Putting a handle on any knob 2.009 Yellow A Overview Arthritis patients

Knob Handler Putting a handle on any knob 2.009 Yellow A Overview Arthritis patients have difficulty gripping and turning knobs Knob handler Portable Battery powered Self locking How It Works Market Arthritis

453 views • 8 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) >= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob

Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob

Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Whats After Whats After What s After What s After Peculiar Knob? Peculiar Knob? Peculiar Knob? Peculiar Knob? Bob Duffin Bob Duffin

627 views • 24 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
TATA HARRIER Harrier Gear Shift Knob TATA HARRIER GEAR KNOB TATA NEXON Nexon Gear Shift Knob

TATA HARRIER Harrier Gear Shift Knob TATA HARRIER GEAR KNOB TATA NEXON Nexon Gear Shift Knob

TATA HARRIER Harrier Gear Shift Knob TATA HARRIER GEAR KNOB TATA NEXON Nexon Gear Shift Knob Nexon Gear Shift Knob TATA TIAGO, TIGOR, ZEST, BOLT Zest / Bolt / Tiago / Tigor Gear Shift Knob Assembly (Without Leather Wrapping) Zest / Bolt /

330 views • 18 slides
Lilydale Regional Park North Knob Stabilization Meeting February 1, 2018 Me e ting Ag e

Lilydale Regional Park North Knob Stabilization Meeting February 1, 2018 Me e ting Ag e

Lilydale Regional Park North Knob Stabilization Meeting February 1, 2018 Me e ting Ag e nda 1. Introductions & Project Background General Cherokee Heights Ravine 2. Engineering Design Items North Knob Slope

910 views • 41 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus & have given up on being their own savior! Abraham Sarah (wife) Isaac (son) Hagar (maidservant) Ishmael (son) Abraham, our broken spiritual

258 views • 21 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual information f -divergence Mikael Skoglund 1/16 Entropy Over ( R , B ) , consider a discrete RV X with all probability in a countable set X B ,

538 views • 8 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

209 views • 6 slides
Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J. A. Laeven Dept. of Econometrics and OR Tilburg University, CentER and Eurandom based on joint work with Mitja Stadje August 30, 2011 Entropy

442 views • 40 slides
GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines that led me straight to Christ. MATTHEW 1:1-17 UNCONDITIONAL & CONDITIONAL I. UNDERLYING COVENANTS Edenic & Adamic Covenants A. 1.

364 views • 20 slides
Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy The Maximum Entropy (MaxEnt) method is a methodology to assign or update probability distributions to describe systems which are not completely

202 views • 17 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for describing low-level computation on modern CPUs (c) 2009 Entropy Wave Inc Motivation (c) 2009 Entropy Wave Inc Motivation Want maintainable assembly

611 views • 28 slides
APEX expriment s knob M. Bai, Y. Hao, G. Robert-Demolaize, S. White, X. Shen, Z. Duan April

APEX expriment s knob M. Bai, Y. Hao, G. Robert-Demolaize, S. White, X. Shen, Z. Duan April

APEX expriment s knob M. Bai, Y. Hao, G. Robert-Demolaize, S. White, X. Shen, Z. Duan April 25, 2014 Motivation Luminosity reduction due to hourglass effect and s z = k z , s 1 = k 1 , s 2 = k 2 ,

709 views • 12 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

Introduction to Information Retrieval Entropy: a basic introduction 1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less compressible High entropy = high randomness/low compressibility Low entropy =

236 views • 19 slides

More recommend