Design, Implementation, and Evaluation of Secure Cyber-Physical and - - PowerPoint PPT Presentation
PhD Thesis Defense 2019 @ SUTD Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Daniele Antonioli Singapore University of Technology and Design (SUTD) Daniele Antonioli Design, Implementation, and Evaluation
PhD Thesis Defense 2019 @ SUTD
Daniele Antonioli Singapore University of Technology and Design (SUTD)
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems 1
◮ Part I: Cyber-physical systems security (Chapter 1-5) ◮ Part II: Wireless systems security (Chapter 6-10) ◮ TL;DR: Read sections 1.3 and 6.3
◮ SUTD (P
. Szalachowski), University of Oxford (K. Rasmussen), and CISPA (N. O. Tippenhauer)
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Introduction 2
◮ Information technology (IT) ◮ Operational technology (OT)
Sensor 42.42Sensors Actuators
Sensor 42.42Sensors Actuators
Sensor 42.42Sensors Actuators
L1 Network HMI Switch
HMISCADA
Remote IOPLC1a PLC1b
PLC PLCL0 Network RIO Process 1
Remote IO PLC PLCL0 Network RIO Process 2
Remote IO PLC PLCL0 Network RIO Process n
PLC2a PLC2b PLCna PLCnb
HMIHistorian Internet VPN/Gateway
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 3
◮ Cyber, physical, and cyber-physical attacks ◮ Wired and wireless connections (to the Internet)
◮ E.g. Stuxnet (nuclear), BlackEnergy (smart grid), TRISIS/TRITON (safety) Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 4
◮ Q1: Can we build a low-cost real-time simulation environment for CPS? [CPS-SPC15]
◮ Q2: Can we detect and mitigate cyber-physical attacks? [CPS-SPC16]
◮ Q3: Can we fill the gaps between IT and OT security professionals? [CPS-SPC17] Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 5
(C)yber − → Network Emulation (P)hysical − → Physical Layer Simulation and API (S)ystem − → Simulation of Control Devices
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 6
(C)yber − → Network Emulation (P)hysical − → Physical Layer Simulation and API (S)ystem − → Simulation of Control Devices
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 6
High-Interaction virtual honeypot Real ICS/SCADA system SI S Simulated PLC Simulated HMI Attacker Gateway PLC HMI
PLCGateway ICS network SSH T elnet Device Gateway SSH T elnet Device VPN
PLCInternet Emulated network VPN Physical Process Simulation Physical Process
High Interaction − → Simulate physical process and ICS devices Virtual − → Linux container virtualization In–a-box − → Runs on a single Linux kernel
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 7
SDN Controller Switch Physical Process Simulation Physical Layer API
Gateway 192.168.1.77
Attacker Internet Attacker Internet
Device 192.168.1.76 PLC4 192.168.1.40
VPN VPN SSH T elnet SSH T elnet
PLC3 192.168.1.30 PLC2 192.168.1.20 PLC1 192.168.1.10 HMI 192.168.1.100
EtherNet/IP High-Interaction virtual honeypot
High Interaction − → Simulate physical process and ICS devices Virtual − → Linux container virtualization In–a-box − → Runs on a single Linux kernel
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 7
◮ ICS-centric, gamified security competition ◮ We run it at SUTD in 2016 and 2017 ◮ IT and OT security professionals from academia and industry
◮ Evaluate MiniCPS as an educational tool ◮ E.g. MitM attacks, sensor and actuator manipulations
◮ Conducted (novel) attacks ◮ Evaluated (novel) defenses Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CPS Security 8
◮ Transmission and reception of electro-magnetic (EM) signals ◮ Over a wireless physical layer (e.g. over the air)
◮ Mobile communications: Wi-Fi, Bluetooth, and cellular ◮ Localization: GPS and RFID Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Wireless Security 9
◮ Wireless channel is broadcast ◮ Threats: eavesdropping, jamming, etc.
◮ Wi-Fi: Key Reinstallation AttaCK (KRACK) on WPA2 ◮ Bluetooth: BlueBorne implementation flaws on Android and Linux Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Wireless Security 10
◮ Q1: Can we leverage deployed physical layer features to secure communications?
[CANS17]
◮ Q2: Can we analyze and evaluate (proprietary) wireless technologies? [NDSS19]
◮ Q3: Can we harden already deployed technologies? [USEC19] Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Wireless Security 11
◮ Q1: Can we leverage deployed physical layer features to secure communications?
[CANS17]
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Wireless Security 11
◮ From bits to EM signals and vice versa
◮ Security guarantees from some physical layer features ◮ E.g. beamforming
◮ Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac WLAN [CANS17] Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Motivation 12
◮ 802.11b: single antenna, omnidirectional (SISO) ◮ 802.11n/ac: multiple antenna, beamforming (MIMO)
◮ Alice (access point) communicates with Bob (user) ◮ Eve (attacker) wants to eavesdrop the downlink from Alice to Bob
◮ If yes, we should use it (together with crypto) Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Introduction 13
◮ Alice uses 1 antennas ◮ Eve’s eavesdropping success depends on: dAE Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Introduction 14
◮ Alice uses L antennas to dynamically beamform towards Bob ◮ Bob experiences a gain but Eve does not ◮ Eve’s eavesdropping success depends on: dAE, dBE, and L Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Introduction 15
◮ Power of the useful signal divided by the noise power at the receiver ◮ Usually expressed in dB (10 log10 SNR = SNRdB)
◮ Probability of erroneously decoding 1-bit at the receiver ◮ Not an exact quantity (MCS, fading model) ◮ 10−6 considered reasonable
◮ PER = 1 − (1 − BER)N ◮ N is the average packet size in bits Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Introduction 16
◮ Eve targets the downlink from Alice to Bob ◮ Is Eve affected by n/ac PHY features?
◮ Eve’s SNR disadvantage in b vs. n/ac ◮ Eve’s PER disadvantage compared to Bob in n/ac
◮ Measure PER and SNR of Eve and Bob ◮ Compare the results with predictions Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Introduction 17
◮ Parametric simulation ot wireless links (indoor, outdoor) ◮ dBP is the breakpoint distance ◮ σSF is the shadowing std dev (log-normal) ◮ sPL LOS and NLOS path loss slopes
◮ dBP = 5 m ◮ σSF = 3, 4 dB ◮ sPL = 2, 3.5
◮ dBP = 10 m ◮ σSF = 3, 5 dB ◮ sPL = 2, 3.5 Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Analysis 18
20 40 60 80 100 120 140
Distance from Alice d [m]
0.0 0.2 0.4 0.6 0.8 1.0
Expected PER
PER = 50% Eve Bob (L=2) Bob (L=4)
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Analysis 19
20 40 60 80 100 120 140
Distance from Alice d [m]
0.0 0.2 0.4 0.6 0.8 1.0
Expected PER 12.5 m: Eve’s PER = 0.5 20 m: Eve’s PER = 0.98, Bob’s PER = 0 129.5 m from Eve: Bob’s PER 0.5
PER = 50% Eve Bob (L=2) Bob (L=4)
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Analysis 19
◮ dAB = 2 m ◮
dAE = [2.5, 5.0, . . . , 20] m (8 distances)
◮ ∆dAE = 2.5 m ◮ Constant angle and elevation ◮ NLOS (exploit multipath) Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Evaluation 20
◮ Wireshark running on Alice, Eve, and Bob ◮ 30 repetitions per distance (2.5 m, 5.0 m, . . . , 20 m)
◮ Received Signal Strength Indication (RSSI) and noise floor ◮ From radiotap headers
◮ From incorrect UDP checksums ◮ Over the total number of packet sent Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Evaluation 21
2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0
dAE [m]
20 40 60 80 100
Eve’s PER %
Model D prediction 802.11b Model D prediction 802.11n Model D prediction 802.11ac Measured values 802.11b Measured values 802.11n Measured values 802.11ac
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Evaluation 22
◮ Yes, 802.11n/ac PHY features disadvantage an eavesdropper
◮ SNR is bounded by 6-41 dB ◮ PER increases to 98% when dAE > 20 m ◮ Eve has to be 129.5 m closer to get same performance as Bob
◮ PER increases significantly when dAE > 15 m ◮ PER is 20% higher in 802.11n than in 802.11b ◮ PER is 30% higher in 802.11ac than in 802.11b Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems CANS17 - Conclusions 23
◮ Q1: Can we use physical layer features to build security mechanisms? [CANS17]
◮ Q2: Can we analyze and evaluate (proprietary) wireless technologies? [NDSS19]
◮ Q3: Can we harden already deployed technologies? [USEC19] Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Motivation 24
◮ Q2: Can we analyze and evaluate (proprietary) wireless technologies? [NDSS19] Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Motivation 24
◮ Specifications have amendments (revisions) ◮ Different implementations of a specification
◮ Proprietary specifications ◮ Closed-source implementations
◮ Nearby Threats: Reversing, Analyzing, and Attacking Google’s ‘Nearby Connections’ on
Android [NDSS19]
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Motivation 25
◮ API for Android and Android Things ◮ In-app proximity-based services
◮ Available across different Android versions ◮ Applications use it as a shared library Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Introduction 26
◮ Any Android (version ≥ 4.0) and Android Things device ◮ Uses Bluetooth and Wi-Fi (even at the same time)
◮ No public specifications ◮ Implementation is closed-source and obfuscated Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Introduction 27
◮ Uncovers its proprietary mechanisms and protocols ◮ Based on reversing its Android implementation
◮ Exposes parameters not accessible with the official API ◮ Impersonates nearby devices from any application
◮ Connection manipulation and range extension attacks ◮ Responsible disclosure with Google Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Introduction 28
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Background 29
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Background 30
◮ Profiling of processes, e.g. NC-App, NC-GPS ◮ Hook function and methods calls ◮ Override parameters and return values ◮ Read and write processes’ memory Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Setup 31
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated 3 Key Exchange Protocol: Establishment of a shared secret
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated 3 Key Exchange Protocol: Establishment of a shared secret 4 Optional Authentication: Based on the shared secret
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated 3 Key Exchange Protocol: Establishment of a shared secret 4 Optional Authentication: Based on the shared secret 5 Application Layer Connection Establishment: Interactive
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated 3 Key Exchange Protocol: Establishment of a shared secret 4 Optional Authentication: Based on the shared secret 5 Application Layer Connection Establishment: Interactive 6 Key Derivation Functions: Session, AES and HMAC keys
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated 3 Key Exchange Protocol: Establishment of a shared secret 4 Optional Authentication: Based on the shared secret 5 Application Layer Connection Establishment: Interactive 6 Key Derivation Functions: Session, AES and HMAC keys 7 Optional Physical Layer Switch: Bluetooth to Wi-Fi
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated 3 Key Exchange Protocol: Establishment of a shared secret 4 Optional Authentication: Based on the shared secret 5 Application Layer Connection Establishment: Interactive 6 Key Derivation Functions: Session, AES and HMAC keys 7 Optional Physical Layer Switch: Bluetooth to Wi-Fi 8 Exchange Encrypted Payloads: Proximity-based service
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
1 Discovery: Bluetooth name (BR/EDR) and BLE reports 2 Connection Request: automatic over Bluetooth, not authenticated 3 Key Exchange Protocol: Establishment of a shared secret 4 Optional Authentication: Based on the shared secret 5 Application Layer Connection Establishment: Interactive 6 Key Derivation Functions: Session, AES and HMAC keys 7 Optional Physical Layer Switch: Bluetooth to Wi-Fi 8 Exchange Encrypted Payloads: Proximity-based service 9 Disconnection: automatic after a 30 seconds timeout
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 32
Client C Server S Generate skC, pkC Pick NC cC = Hash(pkC) Generate skS, pkS Pick NS Kep1: 1, endpointId, ncname, version Kep2: 2, NC, cC, algo Kep3: 3, NS, pkS Kep4: 4, pkC Verify cC (Sx, Sy) = skS · pkC (Sx, Sy) = skC · pkS
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 33
◮ Server instructs the client over Bluetooth (e.g. ESSID, password) ◮ Client contacts the server over Wi-Fi Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - RE 34
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 35
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 36
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 37
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 38
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 39
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 40
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 41
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Attacks 42
◮ Yes, and they should not use security through obscurity.
◮ Android and Android Things API for proximity-based services
◮ REarby https://francozappa.github.io/project/rearby/
◮ Range extension MitM: authenticate nodes and check proximity ◮ Soft access point manipulation: authenticate nodes Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems NDSS19 - Conclusions 43
◮ C1: Evaluation of CPS (IT and OT) technologies
◮ C2: Cyber-physical attacks
◮ C3: CPS security education
[CPS-SPC17]
◮ C1: Wireless physical layer as a defense mechanism
◮ C2: Complexity and accessibility of wireless technologies
Android [NDSS19]
◮ C3: Security evaluations and hardening of wireless technologies
BR/EDR [USEC19]
Thanks for your time! Questions? More at: https://francozappa.github.io
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Conclusions 44
◮ Q1: Can we leverage deployed physical layer features to secure communications?
[CANS17]
◮ Q2: Can we analyze and evaluate (proprietary) wireless technologies? [NDSS19]
◮ Q3: Can we harden already deployed technologies? [USEC19] Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Motivation 45
◮ Q3: Can we harden already deployed technologies? [USEC19] Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Motivation 45
◮ Wide attack surface: IT, mobile, automotive, medical, and industrial
◮ Open specification ◮ Custom security mechanisms ◮ No public reference implementation
◮ The KNOB is broken: Exploiting low entropy in the encryption key negotiation of
Bluetooth BR/EDR [USEC19]
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Motivation 46
◮ P2P
, master-slave
◮ Better performance, yet less battery life than Bluetooth Low Energy (BLE) Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Motivation 47
◮ Confidentiality, integrity, and authentication
◮ Pairing to generate a link key (long term secret) ◮ ECDH and nonce-based key authentication ◮ Session keys derived from the link key (AES, HMAC)
◮ AES-CCM rather than E0 ◮ P-256 curve rather than P-192 curve Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Background 48
C per connection
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 KNOB 49
“For the encryption algorithm, the key size may vary between 1 and 16 octets (8-128 bits). The size of the encryption key is configurable for two reasons. The first has to do with the many different requirements imposed on cryptographic algorithms in different countries - both with respect to export regulations and
future upgrade path for the security without the need of a costly redesign of the algorithms and encryption hardware; increasing the effective key size is the simplest way to combat increased computing power at the opponent side.” https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_ id=421043
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 KNOB 50
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 KNOB 51
◮ Victims already performed pairing (they share KL) ◮ Link layer is encrypted (using K ′
C)
◮ In range with the Alice and Bob ◮ Wants to eavesdrop and manipulate the victims’s information Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 KNOB 52
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 KNOB 53
Alice (controller) A Bob (controller) B LMP: AU RAND LMP: SRES LMP encryption mode req: 1 LMP accept Negot’n LMP K′
C entropy: 16
LMP K′
C entropy: 1
LMP accept LMP start encryption: EN RAND LMP accept Encryption key K′
C has 1 byte of entropy
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Key Negotiation 54
Alice (controller) A Charlie (attacker) C Bob (controller) B LMP: AU RAND LMP: AU RAND LMP: SRES LMP: SRES LMP encryption mode req: 1 LMP encryption mode req: 1 LMP accept LMP accept Negot’n LMP K′
C entropy: 16
LMP K′
C entropy: 1
LMP accept LMP K′
C entropy: 1
LMP accept LMP start encryption: EN RAND LMP start encryption: EN RAND LMP accept LMP accept Encryption key K′
C has 1 byte of entropy
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Key Negotiation 55
C)
◮ Use an encryption key (K ′
C) with 1 Byte of entropy
◮ K ′
C is one within 256 candidates
◮ Eavesdrops the ciphertext ◮ Tests the 256 K ′
C candidates against the ciphertext (in parallel)
◮ Use K ′
C to decrypt all packets and inject new packets
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Key Negotiation 56
, no SC)
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Key Negotiation 57
◮ All standard compliant Bluetooth devices are (potentially) vulnerable ◮ Regardless their implementations, SSP
, and SC
◮ We tested all the Bluetooth devices that we had access to Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Evaluation 58
Bluetooth chip Device(s) Vulnerable? Bluetooth Version 5.0 Snapdragon 845 Galaxy S9
Pixel 2, OnePlus 5
MacBookPro 2018
iPhone X
Intel 8265 ThinkPad X1 6th
ThinkPad X1 3rd
Sennheiser PXC 550
iPad Pro 2
RPi 3B, RPi 3B+
iMac MMQA2LL/A
C) reduced to 1 Byte
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Evaluation 59
Bluetooth chip Device(s) Vulnerable? Bluetooth Version 4.1 BCM4339 (CYW4339) Nexus5, iPhone 6
Motorola G3
Snapdragon 800 LG G2
ThinkPad X230
ThinkPad KT-1255
ThinkPad 41U5008
Anker A7721
AirPods * = Entropy of the encryption key (K ′
C) reduced to 1 Byte
* = Entropy of the encryption key (K ′
C) reduced to 7 Byte
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Evaluation 60
◮ Set N to 16 (set Lmin = Lmax = 16) ◮ Check N from the host (OS) upon connection ◮ Security mechanisms on top of the link layer
◮ Secure entropy negotiation with KL (ECDH shared secret) ◮ Get rid of the entropy negotiation protocol Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Countermeasures 61
◮ The entropy of any encryption key can be reduced to 1 Byte ◮ All standard compliant devices are (potentially) vulnerable
◮ Key Negotiation Of Bluetooth (KNOB) attack ◮ Evaluated on more than 14 chips (e.g. Intel, Broadcom, Apple, Qualcomm)
◮ Legacy and non legacy compliant ◮ Today the embargo is over and the KNOB should be fixed
https://github.com/francozappa/knob
Daniele Antonioli Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems USEC19 Conclusions 62