CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.
执行流程
步骤 1 Explore
[Discovery] Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.
- Use packet capture tools.
步骤 2 Experiment
[Change the entropy bits] Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.
步骤 3 Exploit
[Capture and decrypt data] Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.
前提条件
- Person in the Middle network setup.
所需技能
所需资源
- Bluetooth adapter, packet capturing capabilities.
后果影响
影响范围: Confidentiality
技术影响: Read Data
影响范围: Confidentiality Access Control Authorization
技术影响: Bypass Protection Mechanism
影响范围: Integrity
技术影响: Modify Data
缓解措施
Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.
示例实例
Given users Alice, Bob and Charlie (Charlie being the attacker), Alice and Bob begin to agree on an encryption key when connecting. While Alice sends a message to Bob that an encryption key with 16 bytes of entropy should be used, Charlie changes this to 1 and forwards the request to Bob and continues forwarding these packets until authentication is successful.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1565.002 | Data Manipulation: Transmitted Data Manipulation |