Firmware InsiderBluetooth Randomness is Mostly Random

Jörn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias HollickTechnische Universität Darmstadt, Germany

RANDOMNESSIS MY PASSION

2

???

3

How to acquire randomness?

A: 42 B: Random Access Memory

C: Random Only Memory D: Hardware RNG

4

RNG Variants 2 and 3

Device Chip Date Variant HRNG Location PRNG Cache

Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No

MacBook 2016 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No

CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 8 registers

Yes, breaks after 32 elements

CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 5 registers

Yes (with minor fixes)

5

RNG Variant 2

As seen on the MacBook Pro 2016 (BCM20703A2) and more...

● HRNG mapped to 0x314004

● Three 4 byte registers

● Inline PRNG fallback

● No cache

6

RNG Variant 2, PRNG Fallback

As seen on the MacBook Pro 2016 (BCM20703A2) and more...

● HRNG mapped to 0x314004

● Three 4 byte registers

● Inline PRNG fallback

● No cache

7

How random is the PRNG?

PRNG measurements taken on a Google Nexus 5 (BCM4335C0).

8

CVE Time!

...got assigned CVE-2020-6616 :)

9

Responsible Disclosure

We: Why would you introduce and maintain a PRNG if you had a proper HRNG?

Broadcom: Why should we use a PRNG when there is a HRNG in all of our devices?

???

10

11

Let’s take a look at a few more devices...

12

Measuring the HRNG

@fxrh says that Dieharder requires at least 1GB of data...

13

Optimizations

● Find a large free memory chunk that is not used while the chip is idle.… a region of 0x5000 bytes worked on most chips :D

● Record 4 bytes RNG output, add 0x42 as test byte in case another process writes to the same memory region.

● Asynchronous HCI event once the measurement is finished—no polling!

● Overwrite original rbg_rand function with return 0.

● Fix Launch_RAM on Google Nexus 6P, iPhone 7,CYW20719, CYW20735, CYW20819.

14

HRNG MeasurementsChip Device Samples Dieharder

BCM4335C0 Google Nexus 5 2.7GB Passed

BCM4358A3 Samsung Galaxy S6, Google Nexus 6P 2.1GB Passed

BCM43430A1 Raspberry Pi 3/Zero W 1.3GB Passed

BCM4345C0 Raspberry Pi 3+/4 1.4GB Passed

BCM4345B0 iPhone 6 1.8GB Passed

BCM4355C0 iPhone 7 1.0GB Passed

CYW20719B1 Evaluation Board 1.4GB Passed

CYW20735B1 Evaluation Board 1.6GB Passed

CYW20819A1 Evaluation Board 1.2GB Passed

BCM2046A2 iMac Late 2009 — ✓ HRNG

BCM20703A1 MacBook Pro early 2015 — ✓ HRNG

BCM4375B1 Samsung Galaxy S10/S20 — ✓ HRNG

BCM4347B1 iPhone 8/X/XR — ✓ HRNG

BCM4378B1 iPhone 11 — ✓ HRNG

15

But what about the variants???● Firmware is a raw binary.

● BinDiff finds ~6% matches (Nexus 5, no symbols).

● Any missing function changes statistics on the call graph etc.○ IDA 6.8 and Ghidra are a bit more aggressive in finding ARM instructions than

IDA 7.2, but they also find a lot false positives.○ Amnesia is way too aggressive.

● Feeding correct function starts/ends into IDA 7.2 with currentBinDiff provides perfect results, but we only have that forthe Cypress evaluation boards.

● Polypyus works well as long as the compiler optionswere the same. But this is not the case here.

https://github.com/seemoo-lab/polypyus

16

RNG Variant #1

Device Chip Date Variant HRNG Location PRNG Cache

iMac Late 2009 2007 1 0xE9A00, 3 regs Minimal (inline) No

MacBook 2011 Jul 9 2008 1 0xE9A00, 3 regs Minimal (inline) No

Asus USB Dongle Feb (?) 2010 1 0xEA204, 3 regs Minimal (inline) No

uint32 rbg_prng_fallback(void) { return clock ^ ((16 * static_register + 180) << 20) ^ static_value [4 * static_register ]}

17

More Chips of Variant 2 and 3

Device Chip Date Variant HRNG Location PRNG Cache

Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No

iPhone 6 Jul 15 2013 2 0x314004, 3 regs Yes (inline) No

MacBook Pro early 2015 Dec 23 2013 2 0x314004, 3 regs Yes (inline) No

Raspberry Pi 3/Zero W Jun 2 2014 2 0x352600, 3 regs Yes (inline) No

Raspberry Pi 3+/4 Aug 19 2014 2 0x314004, 3 regs Yes (inline) No

Samsung Galaxy S6, Google Nexus 6P Oct 23 2014 2 0x314004, 3 regs Yes (inline) No

iPhone SE Jan 27 2015 2 0x314004, 3 regs Yes (inline) No

MacBook/iMac 2017-2019 Aug 21 2015 2 0x352600, 3 regs Yes (inline) No

iPhone 7 Sep 14 2015 2 0x352600, 3 regs Yes (inline) No

MacBook 2016/2017, iMac 2017 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No

CYW20719B1 Jan 17 2017 2 0x352600, 3 regs Yes (inline) No

CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 8 registers Yes, breaks after 32 elements

CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 5 registers Yes (with minor fixes)

18

Variant 5

Device Chip Date Variant HRNG Location PRNG Cache

iPhone 8/X/XR Oct 11 2016 Variant #3Complete rework of rbg_ library,but still using sha128 wrapper

0x352600, 4 regs None Asynchronous 32x cache

Samsung Galaxy S10/S20 Apr 13 2018 Variant #3 0x352600, 4 regs None Asynchronous 32x cache

iPhone 11 Oct 25 2018 Variant #3 0x602600, 4 regs None Asynchronous 32x cache

19

Variant 4: Samsung Galaxy S8/S8+/Note 8

Device Chip Date Note HRNG Location PRNG Cache

Samsung Galaxy S8 Jun 3 2016 FAIL! FAIL! FAIL! - Only option

https://xkcd.com/221/

20

iOS 13.5 Updates

Bluetooth

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.

CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab

https://support.apple.com/en-us/HT211168

21

Variant 4: PRNG Inputs

22

Time Inputs

Hardware clock (timer1value) and Bluetooth clock (dc_nbtc_clk).

...crash only attacks become relevant again!

23

Signal Processing Inputs (1)

dc_fhout as histogram and over time.

24

Signal Processing Inputs (2)

rxInitAngle and agcStatus also have a lot of variety ;)

25

Where is randomness used anyway?

Just here and there…Like, everything that has to do with authentication and encryption.

26

Active MITM on Numeric Comparison

27

Android m)

28

Filling the private ECDH key directly from BLE rand...

https://android.googlesource.com/platform/system/bt/+/e410eeb88ee09844cb705c46ec726a73461d704c/stack/smp/smp_keys.cc

29

The Patch (June 2020 Patchlevel)

30

Lessons Learned

● Don’t trust an embedded RNG, it might be a bad PRNG.

● Excessive measurements and reverse-engineering are required to verify RNG quality.

● Each Broadcom firmware version has individual bugs <3

31

Credits

● @matedealer for surviving a thesis with me.

● Felix @fxrh for anything crypto.

● Matthias Hollick, my boss, for making it possible to order “some” hardware.

● Jakob Link from the Nexmon team (@nexmon_dev) for a remote setup to the Samsung Galaxy S8.

● Matthias Ringwald, Maximilian Tschirschnitz and Teal Starsong for reading our paper last minute and discussing some attacks.

32

ASK ALL THE QUESTIONS

!!! ??? Twitter: @naehrdine, @seemoolab

jiska@bluetooth.lol