Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS - - PowerPoint PPT Presentation

Firmware Insider

Bluetooth Randomness is Mostly Random

Jörn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick

Technische Universität Darmstadt, Germany

RANDOMNESS IS MY PASSION

2

???

3 How to acquire randomness?

A: 42 B: Random Access Memory C: Random Only Memory D: Hardware RNG

4

RNG Variants 2 and 3

Device Chip Date Variant HRNG Location PRNG Cache Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No MacBook 2016 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 8 registers Yes, breaks after 32 elements CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 5 registers Yes (with minor fixes)

5

RNG Variant 2

As seen on the MacBook Pro 2016 (BCM20703A2) and more...

• HRNG mapped to

0x314004

• Three 4 byte registers
• Inline PRNG fallback
• No cache

6

RNG Variant 2, PRNG Fallback

As seen on the MacBook Pro 2016 (BCM20703A2) and more...

• HRNG mapped to

0x314004

• Three 4 byte registers
• Inline PRNG fallback
• No cache

7

How random is the PRNG?

PRNG measurements taken on a Google Nexus 5 (BCM4335C0).

8

CVE Time!

...got assigned CVE-2020-6616 :)

9

Responsible Disclosure

We: Why would you introduce and maintain a PRNG if you had a proper HRNG? Broadcom: Why should we use a PRNG when there is a HRNG in all of our devices?

???

10

11

Let’s take a look at a few more devices...

12

Measuring the HRNG

@fxrh says that Dieharder requires at least 1GB of data...

13

Optimizations

• Find a large free memory chunk that is not used while the chip is idle.

… a region of 0x5000 bytes worked on most chips :D

• Record 4 bytes RNG output, add 0x42 as test byte in case another process writes

to the same memory region.

• Asynchronous HCI event once the measurement is finished—no polling!
• Overwrite original rbg_rand function with return 0.
• Fix Launch_RAM on Google Nexus 6P, iPhone 7,

CYW20719, CYW20735, CYW20819.

14

HRNG Measurements

Chip Device Samples Dieharder BCM4335C0 Google Nexus 5 2.7GB Passed BCM4358A3 Samsung Galaxy S6, Google Nexus 6P 2.1GB Passed BCM43430A1 Raspberry Pi 3/Zero W 1.3GB Passed BCM4345C0 Raspberry Pi 3+/4 1.4GB Passed BCM4345B0 iPhone 6 1.8GB Passed BCM4355C0 iPhone 7 1.0GB Passed CYW20719B1 Evaluation Board 1.4GB Passed CYW20735B1 Evaluation Board 1.6GB Passed CYW20819A1 Evaluation Board 1.2GB Passed BCM2046A2 iMac Late 2009 — ✓ HRNG BCM20703A1 MacBook Pro early 2015 — ✓ HRNG BCM4375B1 Samsung Galaxy S10/S20 — ✓ HRNG BCM4347B1 iPhone 8/X/XR — ✓ HRNG BCM4378B1 iPhone 11 — ✓ HRNG

15

But what about the variants???

• Firmware is a raw binary.
• BinDiff finds ~6% matches (Nexus 5, no symbols).
• Any missing function changes statistics on the call graph etc.

○ IDA 6.8 and Ghidra are a bit more aggressive in finding ARM instructions than IDA 7.2, but they also find a lot false positives. ○ Amnesia is way too aggressive.

• Feeding correct function starts/ends into IDA 7.2 with current

BinDiff provides perfect results, but we only have that for the Cypress evaluation boards.

• Polypyus works well as long as the compiler options

were the same. But this is not the case here.

https://github.com/seemoo-lab/polypyus

16

RNG Variant #1

Device Chip Date Variant HRNG Location PRNG Cache iMac Late 2009 2007 1 0xE9A00, 3 regs Minimal (inline) No MacBook 2011 Jul 9 2008 1 0xE9A00, 3 regs Minimal (inline) No Asus USB Dongle Feb (?) 2010 1 0xEA204, 3 regs Minimal (inline) No

uint32 rbg_prng_fallback(void) { return clock ^ ((16 * static_register + 180) << 20) ^ static_value [4 * static_register ] }

17

More Chips of Variant 2 and 3

Device Chip Date Variant HRNG Location PRNG Cache Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No iPhone 6 Jul 15 2013 2 0x314004, 3 regs Yes (inline) No MacBook Pro early 2015 Dec 23 2013 2 0x314004, 3 regs Yes (inline) No Raspberry Pi 3/Zero W Jun 2 2014 2 0x352600, 3 regs Yes (inline) No Raspberry Pi 3+/4 Aug 19 2014 2 0x314004, 3 regs Yes (inline) No Samsung Galaxy S6, Google Nexus 6P Oct 23 2014 2 0x314004, 3 regs Yes (inline) No iPhone SE Jan 27 2015 2 0x314004, 3 regs Yes (inline) No MacBook/iMac 2017-2019 Aug 21 2015 2 0x352600, 3 regs Yes (inline) No iPhone 7 Sep 14 2015 2 0x352600, 3 regs Yes (inline) No MacBook 2016/2017, iMac 2017 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No CYW20719B1 Jan 17 2017 2 0x352600, 3 regs Yes (inline) No CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 8 registers Yes, breaks after 32 elements CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 5 registers Yes (with minor fixes)

18

Variant 5

Device Chip Date Variant HRNG Location PRNG Cache iPhone 8/X/XR Oct 11 2016 Variant #3 Complete rework of rbg_ library, but still using sha128 wrapper 0x352600, 4 regs None Asynchronous 32x cache Samsung Galaxy S10/S20 Apr 13 2018 Variant #3 0x352600, 4 regs None Asynchronous 32x cache iPhone 11 Oct 25 2018 Variant #3 0x602600, 4 regs None Asynchronous 32x cache

19

Variant 4: Samsung Galaxy S8/S8+/Note 8

Device Chip Date Note HRNG Location PRNG Cache Samsung Galaxy S8 Jun 3 2016 FAIL! FAIL! FAIL!

• Only option

https://xkcd.com/221/

20

iOS 13.5 Updates

Bluetooth Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management. CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab

https://support.apple.com/en-us/HT211168

21

Variant 4: PRNG Inputs

22

Time Inputs

Hardware clock (timer1value) and Bluetooth clock (dc_nbtc_clk). ...crash only attacks become relevant again!

23

Signal Processing Inputs (1)

dc_fhout as histogram and over time.

24

Signal Processing Inputs (2)

rxInitAngle and agcStatus also have a lot of variety ;)

25

Where is randomness used anyway?

Just here and there… Like, everything that has to do with authentication and encryption.

26

Active MITM on Numeric Comparison

27

Android m)

28

Filling the private ECDH key directly from BLE rand...

https://android.googlesource.com/platform/system/bt/+/e410eeb88ee09844cb705c46ec726a73461d704c/stack/smp/smp_keys.cc

29

The Patch (June 2020 Patchlevel)

30

Lessons Learned

• Don’t trust an embedded RNG, it might be a bad PRNG.
• Excessive measurements and reverse-engineering are required to verify RNG

quality.

• Each Broadcom firmware version has individual bugs <3

31

Credits

• @matedealer for surviving a thesis with me.
• Felix @fxrh for anything crypto.
• Matthias Hollick, my boss, for making it possible to order “some” hardware.
• Jakob Link from the Nexmon team (@nexmon_dev) for a remote setup to

the Samsung Galaxy S8.

• Matthias Ringwald, Maximilian Tschirschnitz and Teal Starsong for reading
• ur paper last minute and discussing some attacks.

32

ASK ALL THE QUESTIONS !!! ???

Twitter: @naehrdine, @seemoolab jiska@bluetooth.lol