KNOB Attack
What is KNOB Attack?
KNOB AttackA 2019 protocol flaw (CVE-2019-9506) allowing an attacker to force Bluetooth BR/EDR pairings down to one byte of effective entropy, enabling brute-force decryption.
The Key Negotiation Of Bluetooth attack, or KNOB, was disclosed in August 2019 by Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen and tracked as CVE-2019-9506. KNOB targets the Bluetooth Classic (BR/EDR) entropy negotiation procedure, in which two devices agree on the size of the link-layer encryption key (between 1 and 16 bytes). An attacker in range with the ability to inject or modify packets can coerce both peers into using just 1 byte of entropy, leaving only 256 possible session keys that a laptop can brute-force in seconds. The flaw affected nearly every BR/EDR chip available at the time. The Bluetooth SIG patched the specification to enforce a 7-byte minimum, and OS vendors shipped firmware updates throughout 2019 and 2020.
● Examples
- 01
August 2019 USENIX Security paper demonstrating downgrade of BR/EDR entropy to 1 byte.
- 02
Bluetooth SIG specification update mandating a 7-byte minimum encryption key length.
● Frequently asked questions
What is KNOB Attack?
A 2019 protocol flaw (CVE-2019-9506) allowing an attacker to force Bluetooth BR/EDR pairings down to one byte of effective entropy, enabling brute-force decryption. It belongs to the Attacks & Threats category of cybersecurity.
What does KNOB Attack mean?
A 2019 protocol flaw (CVE-2019-9506) allowing an attacker to force Bluetooth BR/EDR pairings down to one byte of effective entropy, enabling brute-force decryption.
How does KNOB Attack work?
The Key Negotiation Of Bluetooth attack, or KNOB, was disclosed in August 2019 by Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen and tracked as CVE-2019-9506. KNOB targets the Bluetooth Classic (BR/EDR) entropy negotiation procedure, in which two devices agree on the size of the link-layer encryption key (between 1 and 16 bytes). An attacker in range with the ability to inject or modify packets can coerce both peers into using just 1 byte of entropy, leaving only 256 possible session keys that a laptop can brute-force in seconds. The flaw affected nearly every BR/EDR chip available at the time. The Bluetooth SIG patched the specification to enforce a 7-byte minimum, and OS vendors shipped firmware updates throughout 2019 and 2020.
How do you defend against KNOB Attack?
Defences for KNOB Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for KNOB Attack?
Common alternative names include: Key Negotiation of Bluetooth, CVE-2019-9506.
● Related terms
- attacks№ 094
BIAS Attack
A 2020 Bluetooth Impersonation AttackS technique (CVE-2020-10135) that exploits weak authentication in BR/EDR to impersonate a previously paired peer.
- attacks№ 111
BlueBorne
A 2017 set of Bluetooth vulnerabilities discovered by Armis that allowed remote code execution and man-in-the-middle attacks on Android, iOS, Linux, and Windows.