skip to main content
research-article

Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy

Published:04 July 2020Publication History
Skip Abstract Section

Abstract

Bluetooth (BR/EDR) and Bluetooth Low Energy (BLE) are pervasive wireless technologies specified in the Bluetooth standard. The standard includes key negotiation protocols used to generate long-term keys (during pairing) and session keys (during secure connection establishment). In this work, we demonstrate that the key negotiation protocols of Bluetooth and BLE are vulnerable to standard-compliant entropy downgrade attacks. In particular, we show how an attacker can downgrade the entropy of any Bluetooth session key to 1 byte, and of any BLE long-term key and session key to 7 bytes. Such low entropy values enable the attacker to brute-force Bluetooth long-term keys and BLE long-term and session keys, and to break all the security guarantees promised by Bluetooth and BLE. As a result of our attacks, an attacker can decrypt all the ciphertext and inject valid ciphertext in any Bluetooth and BLE network.

Our key negotiation downgrade attacks are conducted remotely, do not require access to the victims’ devices, and are stealthy to the victims. As the attacks are standard-compliant, they are effective regardless of the usage of the strongest Bluetooth and BLE security modes (including Secure Connections), the Bluetooth version, and the implementation details of the devices used by the victims. We successfully attack 38 Bluetooth devices (32 unique Bluetooth chips) and 19 BLE devices from different vendors, using all the major versions of the Bluetooth standard. Finally, we present effective legacy compliant and non-legacy compliant countermeasures to mitigate our key negotiation downgrade attacks.

References

  1. Eman Salem Alashwali and Kasper Rasmussen. 2018. What’s in a downgrade? A taxonomy of downgrade attacks in the TLS protocol and application protocols using TLS. In Proceedings of the International Conference on Security and Privacy in Communication Systems. Springer, 468--487.Google ScholarGoogle ScholarCross RefCross Ref
  2. Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2019. Nearby threats: Reversing, analyzing, and attacking Google’s “Nearby Connections” on Android. In Proceedings of the Network and Distributed System Security Symposium (NDSS). IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  3. Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2019. The KNOB is broken: Exploiting low entropy in the encryption key negotiation of Bluetooth BR/EDR. In Proceedings of the USENIX Security Symposium. USENIX.Google ScholarGoogle Scholar
  4. Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2020. BIAS: Bluetooth impersonation AttackS. In Proceedings of the IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle ScholarCross RefCross Ref
  5. Armis Inc. 2017. The Attack Vector BlueBorne Exposes Almost Every Connected Device. Retrieved January 26, 2018 from https://armis.com/blueborne/.Google ScholarGoogle Scholar
  6. Armis Inc. 2018. BLEEDINGBIT Exposes Enterprise Access Points and Unmanaged Devices to Undetectable Chip Level Attack. Retrieved July 24, 2019 https://armis.com/bleedingbit/.Google ScholarGoogle Scholar
  7. Python Cryptographic Authority. 2019. Python cryptography. Retrieved February 4, 2019 from https://cryptography.io/en/latest/.Google ScholarGoogle Scholar
  8. Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. 2012. Recommendation for key management part 1: General (revision 3). NIST Special Publication 800, 57 (2012), 1--147.Google ScholarGoogle Scholar
  9. Eli Biham and Lior Neumann. 2018. Breaking the Bluetooth Pairing--Fixed Coordinate Invalid Curve Attack. Retrieved October 30, 2018 from http://www.cs.technion.ac.il/ biham/BT/bt-fixed-coordinate-invalid-curve-attack.pdf.Google ScholarGoogle Scholar
  10. Philippe Biondi. 2018. Retrieved January 26, 2018 from Scapy: Packet crafting for Python2 and Python3. https://scapy.net/.Google ScholarGoogle Scholar
  11. Matt Blaze, Whitfield Diffie, Ronald L Rivest, Bruce Schneier, and Tsutomu Shimomura. 1996. Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists. Technical Report. Information Assurance Technology Analysis Center, Falls Church, VA.Google ScholarGoogle Scholar
  12. Bluetooth SIG. 2016. Bluetooth Core Specification v5.0. Retrieved October 28, 2019 from https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=421043.Google ScholarGoogle Scholar
  13. Bluetooth SIG. 2019. Bluetooth Markets. Retrieved October 23, 2019 from https://www.bluetooth.com/markets/.Google ScholarGoogle Scholar
  14. Damien Cauquil. 2018. You had better secure your BLE devices. Retrieved September 27, 2019 from https://archive.org/details/youtube-VHJfd9h6G2s.Google ScholarGoogle Scholar
  15. Jiska Classen, Daniel Wegemer, Paul Patras, Tom Spink, and Matthias Hollick. 2018. Anatomy of a vulnerable fitness tracking system: Dissecting the fitbit cloud, app, and firmware. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 1, 1 (2018).Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Arnaud Delmas. 2015. A C implementation of the Bluetooth stream cipher E0. Retrieved October 28, 2018 from https://github.com/adelmas/e0.Google ScholarGoogle Scholar
  17. DigitalSecurity. 2016. BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework. Retrieved July 30, 2019 from https://github.com/DigitalSecurity/btlejuice.Google ScholarGoogle Scholar
  18. John Dunning. 2010. Taming the blue beast: A survey of Bluetooth based threats. IEEE Security 8 Privacy 8, 2 (2010), 20--27.Google ScholarGoogle Scholar
  19. Kassem Fawaz, Kyu-Han Kim, and Kang G. Shin. 2016. Protecting privacy of {BLE} device users. In Proceedings of the USENIX Security Symposium (USENIX Security). 1205--1221.Google ScholarGoogle Scholar
  20. Scott Fluhrer and Stefan Lucks. 2001. Analysis of the E0 encryption system. In Proceedings of the International Workshop on Selected Areas in Cryptography. Springer, 38--48.Google ScholarGoogle ScholarCross RefCross Ref
  21. Kent Griffin, John Hastings Granbery, Hill Ferguson, David Marcus, and Michael Charles Todasco. 2015. Bluetooth low energy (ble) pre-check in. US Patent App. 14/479,200.Google ScholarGoogle Scholar
  22. Keijo Haataja and Pekka Toivanen. 2010. Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. Transactions on Wireless Communications 9, 1 (2010), 384--392.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Hexway. 2019. Apple bleee. Everyone Knows What Happens on Your iPhone. Retrieved July 24, 2019 from https://hexway.io/blog/apple-bleee/.Google ScholarGoogle Scholar
  24. Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. 2016. Smart locks: Lessons for securing commodity Internet of Things devices. In Proceedings of the Asia Conference on Computer and Communications Security (ASIACCS). ACM, 461--472.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. David Hulton. 2008. Intercepting GSM traffic. BlackHat Briefings.Google ScholarGoogle Scholar
  26. Konstantin Hypponen and Keijo M. J. Haataja. 2007. “Nino” man-in-the-middle attack on bluetooth secure simple pairing. In Proceedings of the International Conference in Central Asia on Internet. IEEE, 1--5.Google ScholarGoogle Scholar
  27. IETF. 2003. Counter with CBC-MAC (CCM). Retrieved October 28, 2018 from https://www.ietf.org/rfc/rfc3610.txt.Google ScholarGoogle Scholar
  28. Markus Jakobsson and Susanne Wetzel. 2001. Security weaknesses in Bluetooth. In Proceedings of the Cryptographers’ Track at the RSA Conference. Springer, 176--191.Google ScholarGoogle ScholarCross RefCross Ref
  29. Sławomir Jasek. 2016. Gattacking Bluetooth smart devices. Black Hat USA Conference.Google ScholarGoogle Scholar
  30. Jakob Jonsson. 2002. On the security of CTR+ CBC-MAC. In Proceedings of the International Workshop on Selected Areas in Cryptography. Springer, 76--93.Google ScholarGoogle Scholar
  31. Avinash Kak. 2018. BitVector.py. Retrieved October 28, 2018 from https://engineering.purdue.edu/kak/dist/BitVector-3.4.8.html.Google ScholarGoogle Scholar
  32. John Kelsey, Bruce Schneier, and David Wagner. 1999. Key schedule weaknesses in SAFER+. In Proceeings of the Advanced Encryption Standard Candidate Conference. NIST, 155--167.Google ScholarGoogle Scholar
  33. Paraskevas Kitsos, Nicolas Sklavos, Kyriakos Papadomanolakis, and Odysseas Koufopavlou. 2003. Hardware implementation of Bluetooth security. IEEE Pervasive Computing 1 (2003), 21--29.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, and Manfred Schimmler. 2006. Breaking ciphers with COPACOBANA--A cost-optimized parallel code breaker. In Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems (CHES). Springer, 101--118.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Jiun-Ren Lin, Timothy Talty, and Ozan K. Tonguz. 2015. On the potential of bluetooth low energy technology for vehicular applications. IEEE Communications Magazine 53, 1 (2015), 267--275.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Musaria K. Mahmood, Lujain S. Abdulla, Ahmed H. Mohsin, and Hamza A. Abdullah. 2017. MATLAB implementation of 128-key length SAFER+ cipher system. International Journal of Engineering Research and Application 7 (2017), 49--55.Google ScholarGoogle ScholarCross RefCross Ref
  37. Dennis Mantz, Jiska Classen, Matthias Schulz, and Matthias Hollick. 2019. InternalBlue - Bluetooth binary patching and experimentation framework. In Proceedings of Conference on Mobile Systems, Applications and Services (MobiSys). ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. James L. Massey, Gurgen H. Khachatrian, and Melsik K. Kuregian. 1998. Nomination of SAFER+ as candidate algorithm for the Advanced Encryption Standard (AES). NIST AES Proposal.Google ScholarGoogle Scholar
  39. Yan Michalevsky, Suman Nath, and Jie Liu. 2016. MASHaBLE: Mobile applications of secret handshakes over bluetooth LE. In Proceedings of the Annual International Conference on Mobile Computing and Networking. ACM, 387--400.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Diego A. Ortiz-Yepes. 2015. BALSA: Bluetooth low energy application layer security add-on. In Proceedings of the International Workshop on Secure Internet of Things (SIoT). IEEE, 15--24.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Michael Ossmann. 2019. Project Ubertooth. Retrieved October 21, 2019 from https://github.com/greatscottgadgets/ubertooth.Google ScholarGoogle Scholar
  42. John Padgette. 2017. Guide to bluetooth security. NIST Special Publication 800 (2017), 121.Google ScholarGoogle Scholar
  43. Mike Ryan. 2013. Bluetooth: With low energy comes low security. In Proceedings of USENIX Workshop on Offensive Technologies (WOOT), Vol. 13. USENIX, 4--4.Google ScholarGoogle Scholar
  44. Mike Ryan. 2015. PyBT: Hackable Bluetooth stack in Python. Retrieved June 19, 2019 from https://github.com/mikeryan/PyBT.Google ScholarGoogle Scholar
  45. Altaf Shaik and Ravishankar Borgaonkar. 2019. New Vulnerabilities in 5G Networks. Black Hat USA Conference.Google ScholarGoogle Scholar
  46. Yaniv Shaked and Avishai Wool. 2005. Cracking the Bluetooth PIN. In Proceedings of the Conference on Mobile Systems, Applications, and Services (MobiSys). ACM, 39--50.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Google Cloud Team. 2018. Google Titan Security Keys. Retrieved February 4, 2019 from https://cloud.google.com/titan-security-key/.Google ScholarGoogle Scholar
  48. National Security Agency USA. 2019. Ghidra: A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission. Retrieved February 4, 2019 from https://ghidra-sre.org/.Google ScholarGoogle Scholar
  49. Juha T. Vainio. 2000. Bluetooth Security. Technical Report. Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory.Google ScholarGoogle Scholar
  50. Mathy Vanhoef and Frank Piessens. 2017. Key reinstallation attacks: Forcing nonce reuse in WPA2. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1313--1328.Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Mathy Vanhoef and Frank Piessens. 2018. Release the Kraken: New KRACKs in the 802.11 standard. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In Proceedings of the Symposium on Security 8 Privacy (SP). IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  53. Ford-Long Wong and Frank Stajano. 2005. Location privacy in Bluetooth. In Proceedings of the European Workshop on Security in Ad-hoc and Sensor Networks. Springer, 176--188.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. JunWeon Yoon, TaeYoung Hong, JangWon Choi, ChanYeol Park, KiBong Kim, and HeonChang Yu. 2018. Evaluation of P2P and cloud computing as platform for exhaustive key search on block ciphers. Peer-to-Peer Network and Applications 11 (2018), 1206--1216.Google ScholarGoogle ScholarCross RefCross Ref
  55. Bin Yu, Lisheng Xu, and Yongxu Li. 2012. Bluetooth low energy (BLE) based mobile electrocardiogram monitoring system. In Proceedings of the International Conference on Information and Automation. IEEE, 763--767.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 23, Issue 3
          August 2020
          158 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3403643
          Issue’s Table of Contents

          Copyright © 2020 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 4 July 2020
          • Online AM: 7 May 2020
          • Revised: 1 April 2020
          • Accepted: 1 April 2020
          • Received: 1 December 2019
          Published in tops Volume 23, Issue 3

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!