More Web Proxy on the site http://driver.im/

research-article

Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy

Authors:

Daniele Antonioli,

Nils Ole Tippenhauer,

Kasper RasmussenAuthors Info & Claims

ACM Transactions on Privacy and Security (TOPS), Volume 23, Issue 3

Article No.: 14, Pages 1 - 28

https://doi.org/10.1145/3394497

Published: 04 July 2020 Publication History

Abstract

Bluetooth (BR/EDR) and Bluetooth Low Energy (BLE) are pervasive wireless technologies specified in the Bluetooth standard. The standard includes key negotiation protocols used to generate long-term keys (during pairing) and session keys (during secure connection establishment). In this work, we demonstrate that the key negotiation protocols of Bluetooth and BLE are vulnerable to standard-compliant entropy downgrade attacks. In particular, we show how an attacker can downgrade the entropy of any Bluetooth session key to 1 byte, and of any BLE long-term key and session key to 7 bytes. Such low entropy values enable the attacker to brute-force Bluetooth long-term keys and BLE long-term and session keys, and to break all the security guarantees promised by Bluetooth and BLE. As a result of our attacks, an attacker can decrypt all the ciphertext and inject valid ciphertext in any Bluetooth and BLE network.

Our key negotiation downgrade attacks are conducted remotely, do not require access to the victims’ devices, and are stealthy to the victims. As the attacks are standard-compliant, they are effective regardless of the usage of the strongest Bluetooth and BLE security modes (including Secure Connections), the Bluetooth version, and the implementation details of the devices used by the victims. We successfully attack 38 Bluetooth devices (32 unique Bluetooth chips) and 19 BLE devices from different vendors, using all the major versions of the Bluetooth standard. Finally, we present effective legacy compliant and non-legacy compliant countermeasures to mitigate our key negotiation downgrade attacks.

References

[1]

Eman Salem Alashwali and Kasper Rasmussen. 2018. What’s in a downgrade? A taxonomy of downgrade attacks in the TLS protocol and application protocols using TLS. In Proceedings of the International Conference on Security and Privacy in Communication Systems. Springer, 468--487.

[2]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2019. Nearby threats: Reversing, analyzing, and attacking Google’s “Nearby Connections” on Android. In Proceedings of the Network and Distributed System Security Symposium (NDSS). IEEE.

[3]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2019. The KNOB is broken: Exploiting low entropy in the encryption key negotiation of Bluetooth BR/EDR. In Proceedings of the USENIX Security Symposium. USENIX.

[4]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2020. BIAS: Bluetooth impersonation AttackS. In Proceedings of the IEEE Symposium on Security and Privacy (S&P).

[5]

Armis Inc. 2017. The Attack Vector BlueBorne Exposes Almost Every Connected Device. Retrieved January 26, 2018 from https://armis.com/blueborne/.

[6]

Armis Inc. 2018. BLEEDINGBIT Exposes Enterprise Access Points and Unmanaged Devices to Undetectable Chip Level Attack. Retrieved July 24, 2019 https://armis.com/bleedingbit/.

[7]

Python Cryptographic Authority. 2019. Python cryptography. Retrieved February 4, 2019 from https://cryptography.io/en/latest/.

[8]

Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. 2012. Recommendation for key management part 1: General (revision 3). NIST Special Publication 800, 57 (2012), 1--147.

[9]

Eli Biham and Lior Neumann. 2018. Breaking the Bluetooth Pairing--Fixed Coordinate Invalid Curve Attack. Retrieved October 30, 2018 from http://www.cs.technion.ac.il/ biham/BT/bt-fixed-coordinate-invalid-curve-attack.pdf.

[10]

Philippe Biondi. 2018. Retrieved January 26, 2018 from Scapy: Packet crafting for Python2 and Python3. https://scapy.net/.

[11]

Matt Blaze, Whitfield Diffie, Ronald L Rivest, Bruce Schneier, and Tsutomu Shimomura. 1996. Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists. Technical Report. Information Assurance Technology Analysis Center, Falls Church, VA.

[12]

Bluetooth SIG. 2016. Bluetooth Core Specification v5.0. Retrieved October 28, 2019 from https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=421043.

[13]

Bluetooth SIG. 2019. Bluetooth Markets. Retrieved October 23, 2019 from https://www.bluetooth.com/markets/.

[14]

Damien Cauquil. 2018. You had better secure your BLE devices. Retrieved September 27, 2019 from https://archive.org/details/youtube-VHJfd9h6G2s.

[15]

Jiska Classen, Daniel Wegemer, Paul Patras, Tom Spink, and Matthias Hollick. 2018. Anatomy of a vulnerable fitness tracking system: Dissecting the fitbit cloud, app, and firmware. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 1, 1 (2018).

Digital Library

[16]

Arnaud Delmas. 2015. A C implementation of the Bluetooth stream cipher E0. Retrieved October 28, 2018 from https://github.com/adelmas/e0.

[17]

DigitalSecurity. 2016. BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework. Retrieved July 30, 2019 from https://github.com/DigitalSecurity/btlejuice.

[18]

John Dunning. 2010. Taming the blue beast: A survey of Bluetooth based threats. IEEE Security 8 Privacy 8, 2 (2010), 20--27.

[19]

Kassem Fawaz, Kyu-Han Kim, and Kang G. Shin. 2016. Protecting privacy of {BLE} device users. In Proceedings of the USENIX Security Symposium (USENIX Security). 1205--1221.

[20]

Scott Fluhrer and Stefan Lucks. 2001. Analysis of the E0 encryption system. In Proceedings of the International Workshop on Selected Areas in Cryptography. Springer, 38--48.

[21]

Kent Griffin, John Hastings Granbery, Hill Ferguson, David Marcus, and Michael Charles Todasco. 2015. Bluetooth low energy (ble) pre-check in. US Patent App. 14/479,200.

[22]

Keijo Haataja and Pekka Toivanen. 2010. Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. Transactions on Wireless Communications 9, 1 (2010), 384--392.

Digital Library

[23]

Hexway. 2019. Apple bleee. Everyone Knows What Happens on Your iPhone. Retrieved July 24, 2019 from https://hexway.io/blog/apple-bleee/.

[24]

Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. 2016. Smart locks: Lessons for securing commodity Internet of Things devices. In Proceedings of the Asia Conference on Computer and Communications Security (ASIACCS). ACM, 461--472.

Digital Library

[25]

David Hulton. 2008. Intercepting GSM traffic. BlackHat Briefings.

[26]

Konstantin Hypponen and Keijo M. J. Haataja. 2007. “Nino” man-in-the-middle attack on bluetooth secure simple pairing. In Proceedings of the International Conference in Central Asia on Internet. IEEE, 1--5.

[27]

IETF. 2003. Counter with CBC-MAC (CCM). Retrieved October 28, 2018 from https://www.ietf.org/rfc/rfc3610.txt.

[28]

Markus Jakobsson and Susanne Wetzel. 2001. Security weaknesses in Bluetooth. In Proceedings of the Cryptographers’ Track at the RSA Conference. Springer, 176--191.

[29]

Sławomir Jasek. 2016. Gattacking Bluetooth smart devices. Black Hat USA Conference.

[30]

Jakob Jonsson. 2002. On the security of CTR+ CBC-MAC. In Proceedings of the International Workshop on Selected Areas in Cryptography. Springer, 76--93.

[31]

Avinash Kak. 2018. BitVector.py. Retrieved October 28, 2018 from https://engineering.purdue.edu/kak/dist/BitVector-3.4.8.html.

[32]

John Kelsey, Bruce Schneier, and David Wagner. 1999. Key schedule weaknesses in SAFER+. In Proceeings of the Advanced Encryption Standard Candidate Conference. NIST, 155--167.

[33]

Paraskevas Kitsos, Nicolas Sklavos, Kyriakos Papadomanolakis, and Odysseas Koufopavlou. 2003. Hardware implementation of Bluetooth security. IEEE Pervasive Computing 1 (2003), 21--29.

Digital Library

[34]

Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, and Manfred Schimmler. 2006. Breaking ciphers with COPACOBANA--A cost-optimized parallel code breaker. In Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems (CHES). Springer, 101--118.

Digital Library

[35]

Jiun-Ren Lin, Timothy Talty, and Ozan K. Tonguz. 2015. On the potential of bluetooth low energy technology for vehicular applications. IEEE Communications Magazine 53, 1 (2015), 267--275.

Digital Library

[36]

Musaria K. Mahmood, Lujain S. Abdulla, Ahmed H. Mohsin, and Hamza A. Abdullah. 2017. MATLAB implementation of 128-key length SAFER+ cipher system. International Journal of Engineering Research and Application 7 (2017), 49--55.

[37]

Dennis Mantz, Jiska Classen, Matthias Schulz, and Matthias Hollick. 2019. InternalBlue - Bluetooth binary patching and experimentation framework. In Proceedings of Conference on Mobile Systems, Applications and Services (MobiSys). ACM.

Digital Library

[38]

James L. Massey, Gurgen H. Khachatrian, and Melsik K. Kuregian. 1998. Nomination of SAFER+ as candidate algorithm for the Advanced Encryption Standard (AES). NIST AES Proposal.

[39]

Yan Michalevsky, Suman Nath, and Jie Liu. 2016. MASHaBLE: Mobile applications of secret handshakes over bluetooth LE. In Proceedings of the Annual International Conference on Mobile Computing and Networking. ACM, 387--400.

Digital Library

[40]

Diego A. Ortiz-Yepes. 2015. BALSA: Bluetooth low energy application layer security add-on. In Proceedings of the International Workshop on Secure Internet of Things (SIoT). IEEE, 15--24.

Digital Library

[41]

Michael Ossmann. 2019. Project Ubertooth. Retrieved October 21, 2019 from https://github.com/greatscottgadgets/ubertooth.

[42]

John Padgette. 2017. Guide to bluetooth security. NIST Special Publication 800 (2017), 121.

[43]

Mike Ryan. 2013. Bluetooth: With low energy comes low security. In Proceedings of USENIX Workshop on Offensive Technologies (WOOT), Vol. 13. USENIX, 4--4.

[44]

Mike Ryan. 2015. PyBT: Hackable Bluetooth stack in Python. Retrieved June 19, 2019 from https://github.com/mikeryan/PyBT.

[45]

Altaf Shaik and Ravishankar Borgaonkar. 2019. New Vulnerabilities in 5G Networks. Black Hat USA Conference.

[46]

Yaniv Shaked and Avishai Wool. 2005. Cracking the Bluetooth PIN. In Proceedings of the Conference on Mobile Systems, Applications, and Services (MobiSys). ACM, 39--50.

Digital Library

[47]

Google Cloud Team. 2018. Google Titan Security Keys. Retrieved February 4, 2019 from https://cloud.google.com/titan-security-key/.

[48]

National Security Agency USA. 2019. Ghidra: A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission. Retrieved February 4, 2019 from https://ghidra-sre.org/.

[49]

Juha T. Vainio. 2000. Bluetooth Security. Technical Report. Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory.

[50]

Mathy Vanhoef and Frank Piessens. 2017. Key reinstallation attacks: Forcing nonce reuse in WPA2. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1313--1328.

Digital Library

[51]

Mathy Vanhoef and Frank Piessens. 2018. Release the Kraken: New KRACKs in the 802.11 standard. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM.

Digital Library

[52]

Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In Proceedings of the Symposium on Security 8 Privacy (SP). IEEE.

[53]

Ford-Long Wong and Frank Stajano. 2005. Location privacy in Bluetooth. In Proceedings of the European Workshop on Security in Ad-hoc and Sensor Networks. Springer, 176--188.

Digital Library

[54]

JunWeon Yoon, TaeYoung Hong, JangWon Choi, ChanYeol Park, KiBong Kim, and HeonChang Yu. 2018. Evaluation of P2P and cloud computing as platform for exhaustive key search on block ciphers. Peer-to-Peer Network and Applications 11 (2018), 1206--1216.

[55]

Bin Yu, Lisheng Xu, and Yongxu Li. 2012. Bluetooth low energy (BLE) based mobile electrocardiogram monitoring system. In Proceedings of the International Conference on Information and Automation. IEEE, 763--767.

Cited By

Che XHe YFeng XSun KXu KLi QLuo BLiao XXu JKirda ELie D(2024)BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low EnergyProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670397(2087-2101)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670397
Fischlin MSanina OLuo BLiao XXu JKirda ELie D(2024)Fake It till You Make It: Enhancing Security of Bluetooth Secure Connections via Deferrable AuthenticationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670360(4762-4776)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670360
Beck SRaavi MDale CWeishalla KWorrell B(2024)Survey of Side-Channel Vulnerabilities for Short-Range Wireless Communication Technologies2024 IEEE International Conference on Electro Information Technology (eIT)10.1109/eIT60633.2024.10609924(450-456)Online publication date: 30-May-2024
https://doi.org/10.1109/eIT60633.2024.10609924
Show More Cited By

Index Terms

Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy
1. Security and privacy

Recommendations

BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Bluetooth is a pervasive technology for wireless communication. Billions of devices use it in sensitive applications and to exchange private data. The security of Bluetooth depends on the Bluetooth standard and its two security mechanisms: pairing and ...
Breaking secure pairing of bluetooth low energy using downgrade attacks
SEC'20: Proceedings of the 29th USENIX Conference on Security Symposium

To defeat security threats such as man-in-the-middle (MITM) attacks, Bluetooth Low Energy (BLE) 4.2 and 5.x introduced a Secure Connections Only (SCO) mode, under which a BLE device can only accept secure pairing such as Passkey Entry and Numeric ...
Bluetooth scatternets: criteria, models and classification

Bluetooth ad hoc networks are constrained by a master/slave configuration, in which one device is the master and controls the communication with the slave devices. The master and up to seven active slave devices can form a small Bluetooth network called ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 23, Issue 3

August 2020

158 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3403643

Editor:
David Basin
ETH Zurich, Switzerland

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 July 2020

Online AM: 07 May 2020

Accepted: 01 April 2020

Revised: 01 April 2020

Received: 01 December 2019

Published in TOPS Volume 23, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
876
Total Downloads

Downloads (Last 12 months)148
Downloads (Last 6 weeks)14

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Che XHe YFeng XSun KXu KLi QLuo BLiao XXu JKirda ELie D(2024)BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low EnergyProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670397(2087-2101)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670397
Fischlin MSanina OLuo BLiao XXu JKirda ELie D(2024)Fake It till You Make It: Enhancing Security of Bluetooth Secure Connections via Deferrable AuthenticationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670360(4762-4776)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670360
Beck SRaavi MDale CWeishalla KWorrell B(2024)Survey of Side-Channel Vulnerabilities for Short-Range Wireless Communication Technologies2024 IEEE International Conference on Electro Information Technology (eIT)10.1109/eIT60633.2024.10609924(450-456)Online publication date: 30-May-2024
https://doi.org/10.1109/eIT60633.2024.10609924
Wu JWu RXu DTian DBianchi A(2024)SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00023(2847-228066)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00023
Kondeti VBahsi H(2024)Mapping Cyber Attacks on the Internet of Medical Things: A Taxonomic Review2024 19th Annual System of Systems Engineering Conference (SoSE)10.1109/SOSE62659.2024.10620925(84-91)Online publication date: 23-Jun-2024
https://doi.org/10.1109/SOSE62659.2024.10620925
Ahn PJang YWoo SLee H(2024)BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State MachinesComputer Security – ESORICS 202410.1007/978-3-031-70896-1_6(110-129)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70896-1_6
Shi MChen JHe KZhao HJia MDu RCalandrino JTroncoso C(2023)Formal analysis and patching of BLE-SC pairingProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620240(37-52)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620240
Bouazzati MTessier RTanguy PGogniat G(2023)A Lightweight Intrusion Detection System against IoT Memory Corruption Attacks2023 26th International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS)10.1109/DDECS57882.2023.10139718(118-123)Online publication date: 3-May-2023
https://doi.org/10.1109/DDECS57882.2023.10139718
Cao PZhang CLu XLu HGu D(2023)Side-Channel Analysis for the Re-Keying Protocol of Bluetooth Low EnergyJournal of Computer Science and Technology10.1007/s11390-022-1229-338:5(1132-1148)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1007/s11390-022-1229-3
Claverie TAvoine GDelaune SEsteves J(2023)Tamarin-Based Analysis of Bluetooth Uncovers Two Practical Pairing Confusion AttacksComputer Security – ESORICS 202310.1007/978-3-031-51479-1_6(100-119)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51479-1_6
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents