CAPEC-668 Key Negotiation of Bluetooth Attack (KNOB)

CAPEC-668 Metadata

Likelihood of Attack

Low

Typical Severity

High

Overview

Summary

An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.

Prerequisites

Person in the Middle network setup.

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Discovery] Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.	Use packet capture tools.
2	Experiment	[Change the entropy bits] Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.
3	Exploit	[Capture and decrypt data] Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.

Potential Solutions / Mitigations

Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.

Related Weaknesses (CWE)

CWE ID	Description
CWE-285	Improper Authorization
CWE-425	Direct Request ('Forced Browsing')
CWE-693	Protection Mechanism Failure

Related CAPECs

CAPEC ID	Description
CAPEC-115	An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-148	An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.

CAPEC ID

Description

CAPEC-115

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-148

An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1565.002	Data Manipulation: Transmitted Data Manipulation

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.