Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy

Bluetooth (BR/EDR) and Bluetooth Low Energy (BLE) are pervasive wireless technologies specified in the Bluetooth standard. The standard includes key negotiation protocols used to generate long-term keys (during pairing) and session keys (during secure connection establishment). In this work, we demonstrate that the key negotiation protocols of Bluetooth and BLE are vulnerable to standard-compliant entropy downgrade attacks. In particular, we show how an attacker can downgrade the entropy of any Bluetooth session key to 1 byte, and of any BLE long-term key and session key to 7 bytes. Such low entropy values enable the attacker to brute-force Bluetooth long-term keys and BLE long-term and session keys, and to break all the security guarantees promised by Bluetooth and BLE. As a result of our attacks, an attacker can decrypt all the ciphertext and inject valid ciphertext in any Bluetooth and BLE network. Our key negotiation downgrade attacks are conducted remotely, do not require access to the victims’ devices, and are stealthy to the victims. As the attacks are standard-compliant, they are effective regardless of the usage of the strongest Bluetooth and BLE security modes (including Secure Connections), the Bluetooth version, and the implementation details of the devices used by the victims. We successfully attack 38 Bluetooth devices (32 unique Bluetooth chips) and 19 BLE devices from different vendors, using all the major versions of the Bluetooth standard. Finally, we present effective legacy compliant and non-legacy compliant countermeasures to mitigate our key negotiation downgrade attacks.

[1]  Avishai Wool,et al.  Cracking the Bluetooth PIN , 2005, MobiSys '05.

[2]  Eman Salem Alashwali,et al.  What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS , 2018, SecureComm.

[3]  Eli Biham,et al.  Breaking the Bluetooth Pairing - The Fixed Coordinate Invalid Curve Attack , 2019, IACR Cryptol. ePrint Arch..

[4]  Ozan K. Tonguz,et al.  On the potential of bluetooth low energy technology for vehicular applications , 2015, IEEE Communications Magazine.

[5]  Diego A. Ortiz-Yepes BALSA: Bluetooth Low Energy Application Layer Security Add-on , 2015, 2015 International Workshop on Secure Internet of Things (SIoT).

[6]  Frank Piessens,et al.  Release the Kraken: New KRACKs in the 802.11 Standard , 2018, CCS.

[7]  Frank Piessens,et al.  Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 , 2017, CCS.

[8]  Jakob Jonsson,et al.  On the Security of CTR + CBC-MAC , 2002, Selected Areas in Cryptography.

[9]  John Paul Dunning,et al.  Taming the Blue Beast: A Survey of Bluetooth Based Threats , 2010, IEEE Security & Privacy.

[10]  Matthias Hollick,et al.  Anatomy of a Vulnerable Fitness Tracking System , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[11]  Bin Yu,et al.  Bluetooth Low Energy (BLE) based mobile electrocardiogram monitoring system , 2012, 2012 IEEE International Conference on Information and Automation.

[12]  Musaria K. Mahmood MATLAB Implementation of 128-key length SAFER+ Cipher System , 2017 .

[13]  Nils Ole Tippenhauer,et al.  BIAS: Bluetooth Impersonation AttackS , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[14]  Jie Liu,et al.  MASHaBLE: mobile applications of secret handshakes over bluetooth LE , 2016, MobiCom '16.

[15]  Nils Ole Tippenhauer,et al.  Nearby Threats: Reversing, Analyzing, and Attacking Google's 'Nearby Connections' on Android , 2019, NDSS.

[16]  Karen A. Scarfone,et al.  Guide to Bluetooth Security , 2008 .

[17]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[18]  Odysseas G. Koufopavlou,et al.  Hardware Implementation of Bluetooth Security , 2003, IEEE Pervasive Comput..

[19]  Frank Stajano,et al.  Location Privacy in Bluetooth , 2005, ESAS.

[20]  Christof Paar,et al.  Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker , 2006, CHES.

[21]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[22]  Markus Jakobsson,et al.  Security Weaknesses in Bluetooth , 2001, CT-RSA.

[23]  Bruce Schneier,et al.  Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists , 1996 .

[24]  Kang G. Shin,et al.  Protecting Privacy of BLE Device Users , 2016, USENIX Security Symposium.

[25]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[26]  K. Hypponen,et al.  “Nino” man-in-the-middle attack on bluetooth secure simple pairing , 2007, 2007 3rd IEEE/IFIP International Conference in Central Asia on Internet.

[27]  Stefan Lucks,et al.  Analysis of the E0 Encryption System , 2001, Selected Areas in Cryptography.

[28]  Mathy Vanhoef,et al.  Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[29]  Dirk Fox,et al.  Bluetooth Security , 2002, Datenschutz und Datensicherheit.

[30]  Matthias Hollick,et al.  InternalBlue - Bluetooth Binary Patching and Experimentation Framework , 2019, MobiSys.

[31]  Dawn Song,et al.  Smart Locks: Lessons for Securing Commodity Internet of Things Devices , 2016, AsiaCCS.

[32]  Nils Ole Tippenhauer,et al.  The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR , 2019, USENIX Security Symposium.

[33]  Keijo Haataja,et al.  Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures , 2010, IEEE Transactions on Wireless Communications.

[34]  Heon-Chang Yu,et al.  Evaluation of P2P and cloud computing as platform for exhaustive key search on block ciphers , 2018, Peer-to-Peer Netw. Appl..