Dark Mode
Capec-668 Detail
Key Negotiation of Bluetooth Attack (KNOB)
Standard Software Likelihood: Low Typical Severity: High
Parents: 115
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-668 | capec | https://capec.mitre.org/data/definitions/668.html | |
| CWE-425 | cwe | http://cwe.mitre.org/data/definitions/425.html | |
| CWE-285 | cwe | http://cwe.mitre.org/data/definitions/285.html | |
| CWE-693 | cwe | http://cwe.mitre.org/data/definitions/693.html | |
| T1565.002 | ATTACK | https://attack.mitre.org/wiki/Technique/T1565/002 | Data Manipulation: Transmitted Data Manipulation |
| REF-657 | reference_from_CAPEC | https://blog.malwarebytes.com/awareness/2019/08/bluetooth-vulnerability-can-be-exploited-in-key-negotiation-of-bluetooth-knob-attacks/ | Jovi Umawing, Bluetooth vulnerability can be exploited in Key Negotiation of Bluetooth (KNOB) attacks, 2019--08---21, MalwareBytes |
Explore
-
Discovery: Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.
| Techniques |
|---|
| Use packet capture tools. |
Experiment
-
Change the entropy bits: Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.
Exploit
-
Capture and decrypt data: Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.
- Person in the Middle network setup.
- Bluetooth adapter, packet capturing capabilities.
| Medium |
|---|
| Ability to modify packets. |
| Integrity | Authorization | Access Control | Confidentiality |
|---|---|---|---|
| Modify Data | Bypass Protection Mechanism | Bypass Protection Mechanism | Read Data |
| Bypass Protection Mechanism |
- Given users Alice, Bob and Charlie (Charlie being the attacker), Alice and Bob begin to agree on an encryption key when connecting. While Alice sends a message to Bob that an encryption key with 16 bytes of entropy should be used, Charlie changes this to 1 and forwards the request to Bob and continues forwarding these packets until authentication is successful.