CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB) |
Description An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication. Likelihood Of Attack Typical Severity Execution Flow Explore Discovery: Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process. Techniques |
---|
Use packet capture tools. |
Experiment Change the entropy bits: Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.
Exploit Capture and decrypt data: Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.
Prerequisites
Person in the Middle network setup. |
Skills Required
[Level: Medium] Ability to modify packets. |
Resources Required
Bluetooth adapter, packet capturing capabilities. |
Consequences This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Confidentiality | Read Data | | Confidentiality Access Control Authorization | Bypass Protection Mechanism | | Integrity | Modify Data | |
Mitigations
Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device. |
Example Instances
Given users Alice, Bob and Charlie (Charlie being the attacker), Alice and Bob begin to agree on an encryption key when connecting. While Alice sends a message to Bob that an encryption key with 16 bytes of entropy should be used, Charlie changes this to 1 and forwards the request to Bob and continues forwarding these packets until authentication is successful. |
Taxonomy Mappings CAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.Relevant to the ATT&CK taxonomy mapping (also see parent) Entry ID | Entry Name |
---|
1565.002 | Data Manipulation: Transmitted Data Manipulation |
References Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2021-06-24 (Version 3.5) | CAPEC Content Team | The MITRE Corporation | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2022-09-29 (Version 3.8) | CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |
More information is available — Please select a different filter.
|