Windows 10 News and info | Forum
September 22, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic  (Read 83 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30475


I Do Windows


WWW Email
« on: August 14, 2019, 05:42:06 PM »
ReplyReply

A new Bluetooth vulnerability named "KNOB" has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices.

In a coordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new vulnerability called "KNOB" has been disclosed that affects Bluetooth BR/EDR devices, otherwise known as Bluetooth Classic, using specification versions 1.0 - 5.1.

This flaw has been assigned CVE ID CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection. In some cases, an attacker could reduce the length of an encryption key to a single octet.

"The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used," stated an advisory on Bluetooth.com. "In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet."

This reduction in key length would make it much easier for an attacker to brute force the encryption key used by the paired devices to communicate with each other.

Once the key was known to the attackers, they could monitor and manipulate the data being sent between the devices. This includes potentially injecting commands, monitoring keystrokes, and other types of behavior.

ICASI is not aware of this attack being used maliciously or any devices being created to initiate this type of attack.

This vulnerability was discovered by Daniele Antonioli from SUTD, Singapore, Dr. Nils Ole Tippenhauer, CISPA, Germany, and Prof. Kasper Rasmussen, University of Oxford, England, who will be presenting this research at the USINEX Security Symposium. They will also be releasing a paper titled "The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR" on August 14th, 2019.

Using the attack is not easy

Exploiting this vulnerability is not an easy task as it requires specific conditions to be in place. This includes:

■ Both devices need to be Bluetooth BR/EDR.

■ An attacker would need to be within range of the devices while they are establishing a connection.

■ "The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window."

■ The encryption key would need to be successfully shortened and then brute forced to crack the decryption key.

■ The attacker would need to repeat this attack every time the devices paired.

Mitigating the KNOB vulnerability

To resolve this vulnerability, the Bluetooth specification has been updated to recommend a minimum encryption key length of 7 octets for BR/EDR connections.

Quote
"Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections.  The Bluetooth SIG will also include testing for this new recommendation within our Bluetooth Qualification Program.  In addition, the Bluetooth SIG strongly recommends that product developers update existing solutions to enforce a minimum encryption key length of 7 octets for BR/EDR connections."

Microsoft has released an update today titled "CVE-2019-9506 | Encryption Key Negotiation of Bluetooth Vulnerability" that will mitigate this vulnerability by enforcing "a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption."

This mitigation, though, is not enabled by default, as once enabled, Windows will block Bluetooth devices from connecting that do not meet the defined minimum key size.

Once the update is installed, to enable this feature in Windows you would need to add the EnableMinimumEncryptionKeySize value to HKLM\System\CurrentControlSet\Policies\Hardware\Bluetooth key and set it to 1.

You would then need to turn off Bluetooth, disable and enable the Bluetooth device in Device Manager, and then turn Bluetooth back on.

To disable this mitigation, you can set the EnableMinimumEncryptionKeySize to 0.

Full list of vendors

Below is the full list provided by ICASI of members and partners and whether they are affected:

ICASI Members:

■ A10 Networks: Not Impacted

■ Blackberry: http://support.blackberry.com/kb/articleDetail?articleNumber=000057251

■ Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190813-bluetooth

■ Intel Corporation: Not impacted. Further Information is available here

■ Johnson Controls: http://www.johnsoncontrols.com/cyber-solutions/security-advisories

■ Juniper:  Not Impacted

■ Microsoft: http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9506

■ Oracle: Not Impacted

■ VMWare: Not Impacted

ICASI USIRP Partners:

■ Apple: http://support.apple.com/kb/HT201222

■ Lenovo: http://support.lenovo.com/us/en/product_security/LEN-27173

■ Bluetooth Special Interest Group: http://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth

■ CERT CC: http://www.kb.cert.org/vuls/id/918987

■ Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506

source
Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page August 16, 2019, 08:14:57 PM