Paper 2019/933

Low Entropy Key Negotiation Attacks on Bluetooth and Bluetooth Low Energy

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen


The specification of Bluetooth and Bluetooth Low Energy includes dedicated encryption key negotiation protocols used by two parties to agree on the entropy of encryption keys. In this work, we show that an attacker can manipulate the entropy negotiation of Bluetooth and Bluetooth Low Energy to drastically reduce the encryption key space. We call our attack the Key Negotiation Of Bluetooth (KNOB) attack. In the case of Bluetooth, we demonstrate that the entropy can be reduced from 16 to 1 Byte. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages in real-time. For Bluetooth Low Energy, we show that the entropy can still be downgraded from 16 to 7 Bytes, which reduces the attacker's effort to brute force the keys. We implement and evaluate the KNOB attack on 17 Bluetooth chips (e.g., Intel Broadcom, Apple, and Qualcomm) and 15 Bluetooth Low Energy devices (e.g., Lenovo, Garmin, Samsung, Xiaomi, and Fitbit). Our results demonstrate that all tested devices are vulnerable to the KNOB attack. We discuss legacy and non-legacy compliant countermeasures to neutralize or mitigate the KNOB attack.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Contact author(s)
antonioli daniele @ gmail com
tippenhauer @ cispa saarland
kasper rasmussen @ cs ox ac uk
2019-08-18: received
Short URL
Creative Commons Attribution


      author = {Daniele Antonioli and Nils Ole Tippenhauer and Kasper Rasmussen},
      title = {Low Entropy Key Negotiation Attacks on Bluetooth and Bluetooth Low Energy},
      howpublished = {Cryptology ePrint Archive, Paper 2019/933},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.