from the bluetooth standard to standard compliant 0 days
play

From the Bluetooth Standard to Standard-Compliant 0-days Daniele - PowerPoint PPT Presentation

Jan 30, 2023 •503 likes •876 views

Hardwear.io Virtual Con 2020 From the Bluetooth Standard to Standard-Compliant 0-days Daniele Antonioli and Mathias Payer Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days 1

  1. Hardwear.io Virtual Con 2020 From the Bluetooth Standard to Standard-Compliant 0-days Daniele Antonioli and Mathias Payer Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days 1

  2. Who We Are • Daniele Antonioli ◮ Security researcher, Postdoc at EPFL ◮ @francozappa ◮ More: https://francozappa.github.io • Mathias Payer ◮ Security researcher, Professor at EPFL ◮ @gannimo ◮ More: https://nebelwelt.net/ • We are researchers in the HexHive group ◮ System security topics ◮ More: https://hexhive.epfl.ch/ Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Bio 2

  3. Bluetooth Standard • Bluetooth Standard ◮ Complex document (Bluetooth Core v5.2, 3.256 pages) ◮ Specifies Bluetooth Classic (BT) and Bluetooth Low Energy (BLE) https://www.bluetooth.com/specifications/bluetooth-core-specification/ Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Cover 3

  4. Standard-Compliant 0-days • Standard-compliant 0-day (security vulnerability) ◮ Unknown and/or unaddressed ◮ Agnostic to hardware, and software implementation details ◮ Very effective (1 vuln = all standard-compliant devices are exploitable) ◮ Difficult to patch (firmware upgrades, device recall) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Cover 4

  5. Key Negotiation of Bluetooth (KNOB) Attacks • KNOB attacks on Bluetooth Low Energy (BLE) and Bluetooth Classic (BT) ◮ Exploiting standard-compliant 0-days in Bluetooth key negotiation • Related work (cc: Nils Tippenhauer and Kasper Rasmussen) ◮ “The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR” [SEC19] ◮ “Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy” [TOPS20] Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Cover 5

  6. Bluetooth Security Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Bluetooth Security 6

  7. Bluetooth Security Overview • Pairing ◮ Establish a long term key (SSP based on ECDH) • Secure session establishment ◮ Establish a session key (derived from pairing key) • Security mechanisms ◮ Association: protect against man-in-the-middle attacks ◮ Key negotiation : negotiate a key with variable entropy (strength) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Bluetooth Security 7

  8. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Bluetooth Security 8

  9. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Bluetooth Security 8

  10. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Bluetooth Security 8

  11. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Bluetooth Security 8

  12. KNOB attack on BLE Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BLE 9

  13. BLE Pairing: Overview Alice (master) Bob (slave) A B Phase 1: Feature exchange (including key negotation) Phase 2: key establishment and optional authentication Phase 3: key distribution (over encrypted link) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BLE 10

  14. BLE Pairing: Key Negotiation Alice (master) Bob (slave) A B Phase 1: Feature exchange (including key negotation) Pairing Request: IO, AuthReq, KeySize, InitKey, RespKey Pairing Response: IO, AuthReq, KeySize, InitKey, RespKey • Key negotiation issues (standard-compliant 0-days) ◮ KeySize negotiation is not protected , i.e. no integrity, no encryption ◮ KeySize values between 7 bytes and 16 bytes Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BLE 11

  15. KNOB Attack on BLE Feature Exchange Alice (master) Charlie (attacker) Bob (slave) A C B Phase 1: Feature exchange (including key negotiation) IO, AuthReq, KeySize: 16, InitKeys, RespKeys IO, AuthReq, KeySize: 7 , InitKeys, RespKeys IO, AuthReq, KeySize: 7 , InitKeys, RespKeys IO, AuthReq, KeySize: 16, InitKeys, RespKeys Phase 2: Key establishment and optional authentication Phase 3: Key distribution over encrypted link • KNOB attack on BLE pairing ◮ Attacker downgrades KeySize to 7 bytes ◮ Victims’ pairing and session keys have 7 bytes of entropy ◮ Attacker brute-forces the low-entropy keys Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BLE 12

  16. Implementation of KNOB Attack on BLE • Security Manager Protocol (SMP) manipulation ◮ Implemented in the BLE host (OS) • Custom Linux kernel ◮ net/bluetooth/smp.c : SMP_DEV(hdev)->max_key_size = 7 • Custom user-space BLE stack ◮ Based on PyBT ( https://github.com/mikeryan/PyBT ) ◮ That is based on scapy ( https://scapy.net ) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BLE 13

  17. Evaluation of BLE KNOB Attack (19 devices, from Oct 2019) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BLE 14

  18. KNOB attack on BT Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 15

  19. BT Pairing • Alice and Bob ◮ Securely paired over BT in absence of Charlie ◮ Share a strong pairing key (16 bytes of entropy) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 16

  20. BT Session Establishment: Overview Alice (master) Bob (slave) A B Phase 1: Pairing key authentication Phase 2: Session key negotation Phase 3: Start encryption Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 17

  21. BT Session Establishment: Session Key Negotiation Alice (master) Bob (slave) A B Phase 2: Session key negotation Key entropy: 16 Key entropy: 15 Accept • Key negotiation issues (standard-compliant 0-days) ◮ Key entropy negotiation is not protected , i.e. no integrity, no encryption ◮ Key entropy values between 1 byte and 16 bytes Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 18

  22. KNOB Attack on BT Session Key Negotiation Alice (master) Charlie (attacker) Bob (slave) A C B Phase 1: Pairing key authentication Phase 2: Session key negotation Key entropy: 16 Key entropy: 1 Key entropy: 1 Accept Accept Phase 3: Start encryption • KNOB attack on BT secure session establishment ◮ Attacker downgrades key entropy to 1 bytes ◮ Attacker brute-forces the low-entropy key Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 19

  23. Implementation of KNOB Attack on BT • Link Manager Protocol (LMP) manipulation ◮ Implemented in the BT controller (firmware) • Custom version of internalblue ◮ RE Nexus 5 BT firmware ◮ Write ARM patches for LMP ◮ Patch Nexus 5 at runtime Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 20

  24. Evaluation of BT KNOB Attack (38 devices, from Jun 2019) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 21

  25. Evaluation of BT KNOB Attack (38 devices, from Jun 2019) Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days KNOB BT 21

  26. KNOB Attacks Countermeasures Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Countermeasures 22

  27. Our countermeasures for BT and BLE • Legacy-compliant ◮ Set minimum entropy value to 16 bytes ◮ Enforce key entropy of 16 bytes • Non legacy-compliant ◮ Integrity protect key negotiation ◮ Remove entropy negotiation feature Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Countermeasures 23

  28. Bluetooth SIG amended the standard (2019-08-13) • Erratum 11838: Encryption Key Size Updates ◮ BT minimum entropy value now is 7 bytes, BLE stays the same ◮ Mandatory for Bluetooth versions: 4.2, 5.0, 5.1, 5.2 https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=470741 Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days Countermeasures 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth Today Bluetooth Special Interests Group Compatible with a multitude of devices Widespread IEEE Standard Secure

230 views • 7 slides
and more... The standard library is the collection of functions and types that is supplied with

and more... The standard library is the collection of functions and types that is supplied with

Containers, algorithms and more... The standard library is the collection of functions and types that is supplied with every standard-compliant C++ compiler What should be in the standard library? And equally important: what should not

929 views • 38 slides
Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Standard Statement 1 Standard Statement 2 Key Ideas and Details Standard Statement 3 Reading: Literature Standard Statement 4 Standard Statement 5 Craft and Structure Standard Statement 6 Standard Statement 7 Integration of Knowledge

391 views • 16 slides
The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h printf, scanf, puts, gets, open, close, read, write, fprintf, fscanf, fseek, Memory and string operations string.h memcpy, memcmp, memset,

1.02k views • 54 slides
Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of

Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of

The Standards of Quality (SOQ) Standard 3. Accreditation and Assessment Standard 8. Compliance Standard 9. Virginia Index of Performance Recognition Program Dr. Cynthia A. Cave Assistant Superintendent for Policy and Communications

626 views • 31 slides
Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS

Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS

Standard Seven: The blood standard quality improvement cycle Philippa Kirkpatrick The NSQHS Standards Standard 1 Standard 2 Governance for Safety and Partnering with Quality in Health Consumers Service Organisations Standard 3 Healthcare

649 views • 32 slides
Standard Error & Confidence Interval Standard Error A particular kind of standard

Standard Error & Confidence Interval Standard Error A particular kind of standard

Standard Error & Confidence Interval Standard Error A particular kind of standard deviation Standard Error := standard deviation of the sampling distribution of a statistic Statistic := a function of a dataset (e.g., mean, median,

578 views • 33 slides
Nature provides no standard of length Nature provides no standard of volume Nature provides no

Nature provides no standard of length Nature provides no standard of volume Nature provides no

THE PENDULUM AND THREE STANDARDS THAT MEASURED THE ANCIENT WORLD And the Mystery of the Parthenon revealed Nature provides no standard of length Nature provides no standard of volume Nature provides no standard of weight Nature provides three

567 views • 23 slides
THE STANDARD C LIBRARY THE STANDARD C LIBRARY Common functions we dont need to write

THE STANDARD C LIBRARY THE STANDARD C LIBRARY Common functions we dont need to write

THE STANDARD C LIBRARY THE STANDARD C LIBRARY Common functions we dont need to write ourselves Provides a portable interface to many system calls Analogous to class libraries in Java or C++ Function prototypes declared in standard

641 views • 40 slides
Oklahoma Standard @OP OPSRead eadines ess okschoolrea eadines ess.org Oklahoma Standard

Oklahoma Standard @OP OPSRead eadines ess okschoolrea eadines ess.org Oklahoma Standard

Oklahoma Standard @OP OPSRead eadines ess okschoolrea eadines ess.org Oklahoma Standard Origins Project HOPE Hopeful Futures COVID-19 Oklahoma Standard Story Gathering OTTAWA WOODS ALFALFA WASHINGTON KAY NOWATA HARPER

383 views • 10 slides
APT TECHNICAL CPD - MAF STANDARD COSTING Standard Costing Nicholas Riemer

APT TECHNICAL CPD - MAF STANDARD COSTING Standard Costing Nicholas Riemer

APT TECHNICAL CPD - MAF STANDARD COSTING Standard Costing Nicholas Riemer Nicholas.Riemer@firstrand.co.za Agenda Workflow to understanding standard costing What is standard costing? Generic Problem Industry considerations? What

808 views • 50 slides
Standard Introduction of the new Standard to key Stakeholders Welcome to the Builders Merchants

Standard Introduction of the new Standard to key Stakeholders Welcome to the Builders Merchants

Trade Supplier Level 2 Apprenticeship Standard Introduction of the new Standard to key Stakeholders Welcome to the Builders Merchants Federation (BMF) John Newcomb Chief Executive, BMF 2 Welcome and Introductions Margaret Fitzsimons

1.2k views • 84 slides
Standard Drilling Standard Drilling Company Presentation June 2012 PURPOSE S.D. Standard Drilling

Standard Drilling Standard Drilling Company Presentation June 2012 PURPOSE S.D. Standard Drilling

Standard Drilling Standard Drilling Company Presentation June 2012 PURPOSE S.D. Standard Drilling was established for the purpose of creating shareholder value by building a premium oilfield services company through superior assets, systems and

673 views • 33 slides
SQL Structured Query Language Standard for relational db systems History:

SQL Structured Query Language Standard for relational db systems History:

SQL Structured Query Language Standard for relational db systems History: Developed at IBM in late 70s First standard: SQL-86 Second standard: SQL-92 Third standard: SQL-99 or SQL3, well over 1000 pages! The nice things

320 views • 27 slides
PHILIPPINE AGRICULTURAL ENGINEERING STANDARD PAES 102 : 2000 Foreword This standard is a

PHILIPPINE AGRICULTURAL ENGINEERING STANDARD PAES 102 : 2000 Foreword This standard is a

PHILIPPINE AGRICULTURAL ENGINEERING STANDARD PAES 102 : 2000 Foreword This standard is a revision of the Standard Administrative Order (SAO) 399:1980 Operator Manuals and Technical Publications for Agricultural Tractors and

411 views • 15 slides
BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper

BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper

IEEE S&P 2020 BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper Rasmussen (Oxford Univ.) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS 1 Bluetooth standard

923 views • 34 slides
Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad) Partially supported by ONR and NSF Information and Software Engineering Department 30

278 views • 26 slides
Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle attack Diffie-Hellman Alice Bob new na new nb g na g nb K = (g nb ) na K = (g na ) nb Man-in-the-middle attack Diffie-Hellman Alice Bob Alice

401 views • 25 slides
1 Multilevel Security Different security levels for resources Important systems A

1 Multilevel Security Different security levels for resources Important systems A

Last time Threats Introduction Threat analysis Policy Introduction to access Specification control matrix Design Implementation Operation and Maintenance 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 1 Security in the

444 views • 13 slides
Rewrite-Based Access Control Policies in Distributed Environments Maribel Fern andez Kings

Rewrite-Based Access Control Policies in Distributed Environments Maribel Fern andez Kings

Rewrite-Based Access Control Policies in Distributed Environments Maribel Fern andez Kings College London Joint work with Clara Bertolissi (LIF, Univ. Marseilles) 12th CREST Open Workshop - Security and Code April 2011 M. Fern andez

1.04k views • 30 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
DiffieHellman Key Exchange Algorithm Analysis of DHKE Man-in-the-Middle Attack on DHKE

DiffieHellman Key Exchange Algorithm Analysis of DHKE Man-in-the-Middle Attack on DHKE

Cryptography DiffieHellman Key Exchange DiffieHellman Key Exchange DiffieHellman Key Exchange Algorithm Analysis of DHKE Man-in-the-Middle Attack on DHKE Cryptography Implementations of DHKE DiffieHellman in School of

753 views • 18 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides

More recommend