CISPA
Browse

File(s) not publicly available

Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy

journal contribution
posted on 2023-11-29, 18:07 authored by Daniele Antonioli, Nils Ole TippenhauerNils Ole Tippenhauer, Kasper Rasmussen
Bluetooth (BR/EDR) and Bluetooth Low Energy (BLE) are pervasive wireless technologies specified in the Bluetooth standard. The standard includes key negotiation protocols used to generate long term keys (during pairing) and session keys (during secure connection establishment). In this work, we demonstrate that the key negotiation protocols of Bluetooth and BLE are vulnerable to standard-compliant entropy downgrade attacks. In particular, we show how an attacker can downgrade the entropy of any Bluetooth session key to 1 byte, and of any BLE long term key and session key to 7 bytes. Such low entropy values enable the attacker to brute force Bluetooth long term keys and BLE long term and session keys, and to break all the security guarantees promised by Bluetooth and BLE. As a result of our attacks, an attacker can decrypt all the ciphertext and inject valid ciphertext in any Bluetooth and BLE network. Our key negotiation downgrade attacks are conducted remotely, do not require access to the victims’ devices and are stealthy to the victims. As the attacks are standard-compliant, they are effective regardless of the usage of the strongest Bluetooth and BLE security modes (including Secure Connections), the Bluetooth version, and the implementation details of the devices used by the victims. We successfully attack 38 Bluetooth devices (32 unique Bluetooth chips) and 19 BLE devices from different vendors, using all the major versions of the Bluetooth standard. Finally, we present effective legacy compliant and non-legacy compliant countermeasures to mitigate our key negotiation downgrade attacks.

History

Preferred Citation

Daniele Antonioli, Nils Tippenhauer and Kasper Rasmussen. Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy. In: Transactions on Privacy and Security (TOPS). 2020.

Primary Research Area

  • Threat Detection and Defenses

Legacy Posted Date

2020-09-25

Journal

Transactions on Privacy and Security (TOPS)

Open Access Type

  • Gold

Sub Type

  • Article

BibTeX

@article{cispa_all_3225, title = "Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy", author = "Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper", journal="{Transactions on Privacy and Security (TOPS)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC