the knob is broken exploiting low entropy in the
play

The KNOB is Broken: Exploiting Low Entropy in the Encryption Key - PowerPoint PPT Presentation

Mar 29, 2023 •225 likes •483 views

USENIX 2019 @ Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD)

  1. USENIX 2019 @ Santa Clara, US The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2 CISPA Helmholtz Center for Information Security 3 University of Oxford Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR 1

  2. Bluetooth • Bluetooth (BR/EDR or Classic) ◮ Pervasive wireless technology for personal area networks ◮ E.g., mobile, automotive, medical, and industrial devices • Bluetooth uses custom security mechanisms (at the link layer) ◮ Open but complex specification ◮ No public reference implementation Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 2

  3. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  4. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  5. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  6. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  7. Bluetooth Security Mechanisms Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Motivation 3

  8. Encryption Key Negotiation Of Bluetooth (KNOB) • Paired devices negotiate an encryption key ( K ′ C ) upon connection Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 4

  9. Encryption Key Negotiation Of Bluetooth (KNOB) • Paired devices negotiate an encryption key ( K ′ C ) upon connection Bluetooth allows K ′ C with 1 byte of entropy and does not authenticate Entropy Negotiation Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 4

  10. Our Contribution: Key Negotiation Of Bluetooth (KNOB) Attack • Our Key Negotiation of Bluetooth (KNOB) attack sets N=1, and brute forces K ′ C ◮ Affects any standard compliant Bluetooth device (architectural attack) ◮ Allows to decrypt all traffic and inject valid traffic ◮ Runs in parallel (multiple links and piconets) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 5

  11. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  12. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve 2 Alice and Bob initiate a secure connection Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  13. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve 2 Alice and Bob initiate a secure connection 3 Charlie makes the victims negotiate an encryption key with 1 byte of entropy Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  14. KNOB Attack Stages 1 Alice and Bob securely pair in absence of Eve 2 Alice and Bob initiate a secure connection 3 Charlie makes the victims negotiate an encryption key with 1 byte of entropy 4 Charlie eavesdrop the ciphertext and brute force the key in real time Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR KNOB 6

  15. Bluetooth Entropy Negotiation • Entropy negotiation is neither integrity protected nor encrypted ◮ N between 1 and 16 Alice (controller) Bob (controller) A B LMP: AU RAND LMP: SRES LMP encryption mode req: 1 LMP accept LMP K ′ C entropy: 16 LMP K ′ C entropy: 1 Negot’n LMP accept LMP start encryption: EN RAND LMP accept Encryption key K ′ C has 1 byte of entropy Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR LMP 7

  16. Adversarial Bluetooth Entropy Negotiation • Charlie sets N=1 ( K ′ C ’s entropy), LMP is neither integrity protected nor encrypted Alice (controller) Charlie (attacker) Bob (controller) A C B LMP: AU RAND LMP: AU RAND LMP: SRES LMP: SRES LMP encryption mode req: 1 LMP encryption mode req: 1 LMP accept LMP accept LMP K ′ C entropy: 16 LMP K ′ C entropy: 1 LMP K ′ C entropy: 1 LMP accept Negot’n LMP accept LMP start encryption: EN RAND LMP start encryption: EN RAND LMP accept LMP accept Encryption key K ′ C has 1 byte of entropy Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR LMP 8

  17. Brute Forcing the Encryption Key ( K ′ C ) in Real Time • Alice and Bob use an encryption key ( K ′ C ) with 1 Byte of entropy ◮ Charlie brute forces K ′ C within 256 candidates (in parallel) • K ′ C space when entropy is 1 byte ◮ AES-CCM: 0x00 . . . 0xff ◮ E 0 : ( 0x00 . . . 0xff ) x 0x00e275a0abd218d4cf928b9bbf6cb08f Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Brute force 9

  18. KNOB Attack Scenario • Attacker decrypts a file exchanged over an encrypted Bluetooth link ◮ Victims: Nexus 5 and Motorola G3 ◮ Attacker: ThinkPad X1 and Ubertooth (Bluetooth sniffer) Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 10

  19. Vulnerable chips and devices (Bluetooth 5.0, 4.2) Bluetooth chip Device(s) Vulnerable? Bluetooth Version 5.0 Snapdragon 845 Galaxy S9 � Snapdragon 835 Pixel 2, OnePlus 5 � Apple/USI 339S00428 MacBookPro 2018 � Apple A1865 iPhone X � Bluetooth Version 4.2 Intel 8265 ThinkPad X1 6th � Intel 7265 ThinkPad X1 3rd � Unknown Sennheiser PXC 550 � Apple/USI 339S00045 iPad Pro 2 � BCM43438 RPi 3B, RPi 3B+ � BCM43602 iMac MMQA2LL/A � � = Entropy of the encryption key ( K ′ C ) reduced to 1 Byte Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 11

  20. Vulnerable chips and devices (Bluetooth 4.1 and below) Bluetooth chip Device(s) Vulnerable? Bluetooth Version 4.1 BCM4339 (CYW4339) Nexus5, iPhone 6 � Snapdragon 410 Motorola G3 � Bluetooth Version ≤ 4.0 Snapdragon 800 LG G2 � Intel Centrino 6205 ThinkPad X230 � Chicony Unknown ThinkPad KT-1255 � Broadcom Unknown ThinkPad 41U5008 � Broadcom Unknown Anker A7721 � Apple W1 AirPods * � = Entropy of the encryption key ( K ′ C ) reduced to 1 Byte * = Entropy of the encryption key ( K ′ C ) reduced to 7 Byte Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Evaluation 12

  21. KNOB in Bluetooth core spec v5.0 (page 1650) “For the encryption algorithm, the key size (N) may vary between 1 and 16 octets (8-128 bits) . The size of the encryption key is configurable for two rea- sons. The first has to do with the many different requirements imposed on cryptographic algorithms in different countries - both with respect to export regulations and official attitudes towards privacy in general. The second reason is to facilitate a future upgrade path for the security without the need of a costly redesign of the algorithms and encryption hardware; increasing the effective key size is the simplest way to combat increased computing power at the opponent side .” https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_ id=421043 Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 13

  22. KNOB Attack Disclosure and Countermeasures • We did responsible disclosure with CERT and Bluetooth SIG ( CVE-2019-9506 ) ◮ KNOB discovery in May 2018, exploitation and report in October 2018 ◮ Many industries affected, e.g., Intel, Broadcom, Qualcomm, ARM, and Apple • Legacy compliant countermeasures ◮ Set 16 bytes of entropy in the Bluetooth firmware ◮ Check N from the host (OS) upon connection ◮ Security mechanisms on top of the link layer • Non legacy compliant countermeasures ◮ Secure entropy negotiation with K L (ECDH shared secret) ◮ Get rid of the entropy negotiation protocol Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Discussion 14

  23. Conclusion • We propose the Key Negotiation Of Bluetooth (KNOB) attack ◮ Reduces the entropy of any encryption key to 1 Byte, and brute forces the key ◮ Affects any standard compliant Bluetooth device (architectural attack) ◮ Allows to decrypt all traffic and inject valid traffic ◮ Runs in parallel (multiple links and piconets) • We implement and evaluate the KNOB attack ◮ 14 vulnerable chips (Intel, Broadcom, Apple, and Qualcomm) ◮ 21 vulnerable devices • Provide effective legacy and non legacy compliant countermeasures • For more information visit: https://knobattack.com Daniele Antonioli The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR Conclusions 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Knob Handler Putting a handle on any knob 2.009 Yellow A Overview Arthritis patients

Knob Handler Putting a handle on any knob 2.009 Yellow A Overview Arthritis patients

Knob Handler Putting a handle on any knob 2.009 Yellow A Overview Arthritis patients have difficulty gripping and turning knobs Knob handler Portable Battery powered Self locking How It Works Market Arthritis

453 views • 8 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) >= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob

Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob

Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Looking Beyond the Knob Whats After Whats After What s After What s After Peculiar Knob? Peculiar Knob? Peculiar Knob? Peculiar Knob? Bob Duffin Bob Duffin

627 views • 24 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
TATA HARRIER Harrier Gear Shift Knob TATA HARRIER GEAR KNOB TATA NEXON Nexon Gear Shift Knob

TATA HARRIER Harrier Gear Shift Knob TATA HARRIER GEAR KNOB TATA NEXON Nexon Gear Shift Knob

TATA HARRIER Harrier Gear Shift Knob TATA HARRIER GEAR KNOB TATA NEXON Nexon Gear Shift Knob Nexon Gear Shift Knob TATA TIAGO, TIGOR, ZEST, BOLT Zest / Bolt / Tiago / Tigor Gear Shift Knob Assembly (Without Leather Wrapping) Zest / Bolt /

330 views • 18 slides
Lilydale Regional Park North Knob Stabilization Meeting February 1, 2018 Me e ting Ag e

Lilydale Regional Park North Knob Stabilization Meeting February 1, 2018 Me e ting Ag e

Lilydale Regional Park North Knob Stabilization Meeting February 1, 2018 Me e ting Ag e nda 1. Introductions & Project Background General Cherokee Heights Ravine 2. Engineering Design Items North Knob Slope

910 views • 41 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus & have given up on being their own savior! Abraham Sarah (wife) Isaac (son) Hagar (maidservant) Ishmael (son) Abraham, our broken spiritual

258 views • 21 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual information f -divergence Mikael Skoglund 1/16 Entropy Over ( R , B ) , consider a discrete RV X with all probability in a countable set X B ,

538 views • 8 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
Licensing Modernization Project (LMP) Amir Afzali Licensing and Policy Director Southern

Licensing Modernization Project (LMP) Amir Afzali Licensing and Policy Director Southern

Licensing Modernization Project (LMP) Amir Afzali Licensing and Policy Director Southern Company Licensing Modernization Project Why: Reduce regulatory uncertainty to enable accelerated commercialization of advanced non-LWR reactors

384 views • 6 slides
Are there new molecules Are there new molecules for Pseudomonas for Pseudomonas in the pipeline

Are there new molecules Are there new molecules for Pseudomonas for Pseudomonas in the pipeline

P. aeruginosa : resistance and therapeutic options Are there new molecules Are there new molecules for Pseudomonas for Pseudomonas in the pipeline ? in the pipeline ? Unit de Pharmacologie F. Van Bambeke Universit catholique de

285 views • 27 slides
RAPORT DE ACTIVITATE AL FAZEI Contract nr.: PN 09370102/2009 Titlul proiectului: Elaborarea de

RAPORT DE ACTIVITATE AL FAZEI Contract nr.: PN 09370102/2009 Titlul proiectului: Elaborarea de

RAPORT DE ACTIVITATE AL FAZEI Contract nr.: PN 09370102/2009 Titlul proiectului: Elaborarea de modele teoretice si metode matematice riguroase pentru investigarea structurii materiei Director de proiect: Dr. Aurelian Isar Faza nr.

524 views • 27 slides
H OW C AN W E D ESIGN AN A LGORITHM ? In all the above problems one can think of improving

H OW C AN W E D ESIGN AN A LGORITHM ? In all the above problems one can think of improving

R EGULARIZATION FOR M ULTI -O UTPUT L EARNING R EGULARIZATION M ETHODS FOR H IGH D IMENSIONAL L EARNING Francesca Odone and Lorenzo Rosasco odone@disi.unige.it - lrosasco@mit.edu June 10, 2011 Regularization Methods for High Dimensional Learning

617 views • 47 slides
Apollo 8: Lunar Orbit INST 154 Apollo at 50 Onboard Audio Apollo Mission Sequence As Planned

Apollo 8: Lunar Orbit INST 154 Apollo at 50 Onboard Audio Apollo Mission Sequence As Planned

Apollo 8: Lunar Orbit INST 154 Apollo at 50 Onboard Audio Apollo Mission Sequence As Planned As Flown A A Uncrewed Saturn V Apollo 4, 6 B B Uncrewed LM Apollo 5 C C CSM Earth Orbit Apollo 7 D C CSM/LM

391 views • 25 slides
Pregnant and Bleeding in the I have no disclosures. First Trimester Jody Steinauer, MD, MAS D e

Pregnant and Bleeding in the I have no disclosures. First Trimester Jody Steinauer, MD, MAS D e

7/3/18 Disclosures- July 3, 2018 Pregnant and Bleeding in the I have no disclosures. First Trimester Jody Steinauer, MD, MAS D e p t . O b / G y n & R e p r o d u c t iv e S c ie n c e s ! ! Objectives Patient Case: Presentation 1.

664 views • 19 slides
FUNDAMENTALS OF OBSTETRICS Christine Pecci, MD Department of Family and Community Medicine

FUNDAMENTALS OF OBSTETRICS Christine Pecci, MD Department of Family and Community Medicine

3/19/2015 No disclosures FUNDAMENTALS OF OBSTETRICS Christine Pecci, MD Department of Family and Community Medicine March 2015 Dating Gestational Age Discrepancy for redating w US date Tanya is a 23 yo G1P0 who presents for early

249 views • 11 slides
Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs , Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson pag225@cornell.edu, @pag_crypto Outsourced Databases Database Encrypting Outsourced

705 views • 23 slides

More recommend