firmware insider
play

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS - PowerPoint PPT Presentation

Jul 25, 2023 •230 likes •562 views

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

  1. Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jörn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universität Darmstadt, Germany

  2. ??? 2

  3. How to acquire randomness? A: 42 B: Random Access Memory C: Random Only Memory D: Hardware RNG 3

  4. RNG Variants 2 and 3 Device Chip Date Variant HRNG Location PRNG Cache Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No MacBook 2016 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes ( rbg_get_psrng ), Yes, breaks after 32 elements 8 registers CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes ( rbg_get_psrng ), Yes (with minor fixes) 5 registers 4

  5. RNG Variant 2 HRNG mapped to ● 0x314004 Three 4 byte registers ● Inline PRNG fallback ● No cache ● As seen on the MacBook Pro 2016 (BCM20703A2) and more... 5

  6. RNG Variant 2, PRNG Fallback HRNG mapped to ● 0x314004 Three 4 byte registers ● Inline PRNG fallback ● No cache ● As seen on the MacBook Pro 2016 (BCM20703A2) and more... 6

  7. How random is the PRNG? PRNG measurements taken on a Google Nexus 5 (BCM4335C0). 7

  8. CVE Time! ...got assigned CVE-2020-6616 :) 8

  9. Responsible Disclosure We: Why would you introduce and maintain a PRNG if you had a proper HRNG? Broadcom: Why should we use a PRNG when there is a HRNG in all of our devices? ??? 9

  10. 10

  11. Let’s take a look at a few more devices... 11

  12. Measuring the HRNG @fxrh says that Dieharder requires at least 1GB of data... 12

  13. Optimizations Find a large free memory chunk that is not used while the chip is idle. ● … a region of 0x5000 bytes worked on most chips :D Record 4 bytes RNG output, add 0x42 as test byte in case another process writes ● to the same memory region. Asynchronous HCI event once the measurement is finished— no polling ! ● Overwrite original rbg_rand function with return 0 . ● Fix Launch_RAM on Google Nexus 6P, iPhone 7, ● CYW20719, CYW20735, CYW20819. 13

  14. HRNG Measurements Chip Device Samples Dieharder BCM4335C0 Google Nexus 5 2.7GB Passed BCM4358A3 Samsung Galaxy S6, Google Nexus 6P 2.1GB Passed BCM43430A1 Raspberry Pi 3/Zero W 1.3GB Passed BCM4345C0 Raspberry Pi 3+/4 1.4GB Passed BCM4345B0 iPhone 6 1.8GB Passed BCM4355C0 iPhone 7 1.0GB Passed CYW20719B1 Evaluation Board 1.4GB Passed CYW20735B1 Evaluation Board 1.6GB Passed CYW20819A1 Evaluation Board 1.2GB Passed BCM2046A2 iMac Late 2009 — ✓ HRNG BCM20703A1 MacBook Pro early 2015 — ✓ HRNG BCM4375B1 Samsung Galaxy S10/S20 — ✓ HRNG BCM4347B1 iPhone 8/X/XR — ✓ HRNG BCM4378B1 iPhone 11 — ✓ HRNG 14

  15. But what about the variants??? Firmware is a raw binary. ● BinDiff finds ~6% matches (Nexus 5, no symbols). ● Any missing function changes statistics on the call graph etc. ● IDA 6.8 and Ghidra are a bit more aggressive in finding ARM instructions than ○ IDA 7.2, but they also find a lot false positives. Amnesia is way too aggressive. ○ Feeding correct function starts/ends into IDA 7.2 with current ● BinDiff provides perfect results, but we only have that for the Cypress evaluation boards. Polypyus works well as long as the compiler options ● were the same. But this is not the case here. https://github.com/seemoo-lab/polypyus 15

  16. RNG Variant #1 Device Chip Date Variant HRNG Location PRNG Cache iMac Late 2009 2007 1 0xE9A00, 3 regs Minimal (inline) No MacBook 2011 Jul 9 2008 1 0xE9A00, 3 regs Minimal (inline) No Asus USB Dongle Feb (?) 2010 1 0xEA204, 3 regs Minimal (inline) No uint32 rbg_prng_fallback (void) { return clock ^ ((16 * static_register + 180) << 20) ^ static_value [4 * static_register ] } 16

  17. More Chips of Variant 2 and 3 Device Chip Date Variant HRNG Location PRNG Cache Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No iPhone 6 Jul 15 2013 2 0x314004, 3 regs Yes (inline) No MacBook Pro early 2015 Dec 23 2013 2 0x314004, 3 regs Yes (inline) No Raspberry Pi 3/Zero W Jun 2 2014 2 0x352600, 3 regs Yes (inline) No Raspberry Pi 3+/4 Aug 19 2014 2 0x314004, 3 regs Yes (inline) No Samsung Galaxy S6, Google Nexus 6P Oct 23 2014 2 0x314004, 3 regs Yes (inline) No iPhone SE Jan 27 2015 2 0x314004, 3 regs Yes (inline) No MacBook/iMac 2017-2019 Aug 21 2015 2 0x352600, 3 regs Yes (inline) No iPhone 7 Sep 14 2015 2 0x352600, 3 regs Yes (inline) No MacBook 2016/2017, iMac 2017 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No CYW20719B1 Jan 17 2017 2 0x352600, 3 regs Yes (inline) No CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes ( rbg_get_psrng ), 8 registers Yes, breaks after 32 elements CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes ( rbg_get_psrng ), 5 registers Yes (with minor fixes) 17

  18. Variant 5 Device Chip Date Variant HRNG Location PRNG Cache iPhone 8/X/XR Oct 11 2016 Variant #3 0x352600, 4 regs None Asynchronous 32x cache Complete rework of rbg_ library, but still using sha128 wrapper Samsung Galaxy S10/S20 Apr 13 2018 Variant #3 0x352600, 4 regs None Asynchronous 32x cache iPhone 11 Oct 25 2018 Variant #3 0x602600, 4 regs None Asynchronous 32x cache 18

  19. Variant 4: Samsung Galaxy S8/S8+/Note 8 Device Chip Date Note HRNG Location PRNG Cache Samsung Galaxy S8 Jun 3 2016 FAIL! FAIL! FAIL! - Only option https://xkcd.com/221/ 19

  20. iOS 13.5 Updates Bluetooth Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management. CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab https://support.apple.com/en-us/HT211168 20

  21. Variant 4: PRNG Inputs 21

  22. Time Inputs Hardware clock ( timer1value ) and Bluetooth clock ( dc_nbtc_clk ). ...crash only attacks become relevant again! 22

  23. Signal Processing Inputs (1) dc_fhout as histogram and over time. 23

  24. Signal Processing Inputs (2) rxInitAngle and agcStatus also have a lot of variety ;) 24

  25. Where is randomness used anyway? Just here and there… Like, everything that has to do with authentication and encryption. 25

  26. Active MITM on Numeric Comparison 26

  27. Android m) 27

  28. Filling the private ECDH key directly from BLE rand... https://android.googlesource.com/platform/system/bt/+/e410eeb88ee09844cb705c46ec726a73461d704c/stack/smp/smp_keys.cc 28

  29. The Patch (June 2020 Patchlevel) 29

  30. Lessons Learned Don’t trust an embedded RNG, it might be a bad PRNG. ● Excessive measurements and reverse-engineering are required to verify RNG ● quality. Each Broadcom firmware version has individual bugs <3 ● 30

  31. Credits @matedealer for surviving a thesis with me. ● Felix @fxrh for anything crypto. ● Matthias Hollick, my boss, for making it possible to order “some” hardware. ● Jakob Link from the Nexmon team ( @nexmon_dev ) for a remote setup to ● the Samsung Galaxy S8. Matthias Ringwald, Maximilian Tschirschnitz and Teal Starsong for reading ● our paper last minute and discussing some attacks. 31

  32. ASK ALL THE QUESTIONS !!! ??? Twitter: @naehrdine, @seemoolab jiska@bluetooth.lol 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with hardware innovations. Tom Melham University of Oxford Problem Firmware today facing greater complexity and shorter schedules coded at low

478 views • 14 slides
OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the

OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the

OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the ben benef efits of of the the 'in 'insider'? What are the Wh the chal allen enges es? The risks of of my my 'in 'insider' sta

199 views • 7 slides
A white noise approach to optimal insider control of systems with delay Olfa Draouil Joint work

A white noise approach to optimal insider control of systems with delay Olfa Draouil Joint work

The Donsker delta functional Optimal insider Control problem for SDDE Transforming the insider control problem to a related parameterized non-insider problem Maximum principle theorems Applications A white noise approach to optimal insider

554 views • 40 slides
Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura University of Hawaii December 14, 2012 US Firmware Meeting 1 v2 Firmware Version 2 firmware is largely done: New interface to the DAQ

273 views • 5 slides
CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a

CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a

Revamping of SEBI Regulations : A move towards ensuring lucidity in the Regime NEW INSIDER TRADING REGULATIONS: AIMED TO CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a companys stock by an

941 views • 56 slides
Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna Agenda Background Previous work Information leakage by malicious insider Our Research How to prevent 2 Insider

335 views • 30 slides
Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an

Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an

Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an insider? Who is an insider? Carnegie Mellon CERT definition of insider: Someone who has authorized access to an organizations facilities,

217 views • 21 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook &lt;keescook@chromium.org&gt; (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal Demonstrate upstream DAQ functions in firmware before design review - Have implementation ready before May 2020 10-second buffer Hit

466 views • 13 slides
Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a

Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a

Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a Pandemic Clifford Chance US LLP May 21, 2020 Overview Increased Potential for Insider Trading Liability U.S. Enforcement Fundamentals Insider

245 views • 22 slides
WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background ProtoDUNE WIB operated (and continuing) successfully FPGA was an Altera Aria V All-firmware design, included different firmware sets for

843 views • 47 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group July 18, 2017 Douglas D. Thomas Director, Counterintelligence Operations &amp; Corporate Investigations Lockheed Martin Counterintelligence

706 views • 16 slides
Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS alternative (coreboot, OpenEC) Figure out possible attack vectors via firmware trojans We will take only case of modern PC/Laptop/Server firmware(s).

747 views • 46 slides
INSIDER SUMMIT 2019 Insights at the Insider Summit Thinking and dreaming about TBM!

INSIDER SUMMIT 2019 Insights at the Insider Summit Thinking and dreaming about TBM!

INSIDER SUMMIT 2019 Insights at the Insider Summit Thinking and dreaming about TBM! Every company is a technology company Speed is the new currency and data is the new oil! We must increase our clock speed! Cloud is not a

357 views • 24 slides
Good morning! Lecture will start at 10:45 (let's wait for everyone). If you have any

Good morning! Lecture will start at 10:45 (let's wait for everyone). If you have any

Good morning! Lecture will start at 10:45 (let's wait for everyone). If you have any question, please ask in the chat. Note that lecture will be recorded. Please write your name and ID there: https://forms.gle/wnzf5AFNtkWAmu4r7

527 views • 26 slides
Image Processing 12. Photometric Stereo Aleix M. Martinez aleix@ece.osu.edu Illumination A 3D

Image Processing 12. Photometric Stereo Aleix M. Martinez aleix@ece.osu.edu Illumination A 3D

Image Processing 12. Photometric Stereo Aleix M. Martinez aleix@ece.osu.edu Illumination A 3D object illuminated with a light source. ^ n ^ s a Intensity at image point I(u,v) (u,v) T . 1 Photometric Stereo = I ( x , y ) kB

501 views • 5 slides
CS 543 - Computer Graphics: Illumination and Shading I by Robert W. Lindeman gogo@wpi.edu

CS 543 - Computer Graphics: Illumination and Shading I by Robert W. Lindeman gogo@wpi.edu

CS 543 - Computer Graphics: Illumination and Shading I by Robert W. Lindeman gogo@wpi.edu (with help from Emmanuel Agu ;-) Illumination and Shading Problem: Model light/surface point interactions to determine final color and brightness

447 views • 22 slides
Welcome! , = (, ) , + , ,

Welcome! , = (, ) , + , ,

INFOMAGR Advanced Graphics Jacco Bikker - February April 2016 Welcome! , = (, ) , + , , , Todays Agenda:

928 views • 60 slides
Back to My Mac 77 th IETF, Anaheim 24 th March 2010 Rory McGuire Stuart Cheshire Overview .Mac

Back to My Mac 77 th IETF, Anaheim 24 th March 2010 Rory McGuire Stuart Cheshire Overview .Mac

Back to My Mac 77 th IETF, Anaheim 24 th March 2010 Rory McGuire Stuart Cheshire Overview .Mac (Mobile Me) Cafe Work PowerBook G4 Home Overview .Mac (Mobile Me) Cafe Work ? ? PowerBook G4 ? Home Overview .Mac (Mobile Me) Cafe

797 views • 40 slides
Interpolation sets and quotients of function spaces on a locally compact group II Jorge Galindo

Interpolation sets and quotients of function spaces on a locally compact group II Jorge Galindo

A general theorem Some quotients One application: strong Arens irregularity of L 1( G ) Interpolation sets and quotients of function spaces on a locally compact group II Jorge Galindo Instituto de Matem aticas y Aplicaciones de Castell

901 views • 74 slides
1 DUT DNS . FW Dual-Stack WWW Dual-Stack . Internet WLAN . IPv6 DUT 1) Silent drop

1 DUT DNS . FW Dual-Stack WWW Dual-Stack . Internet WLAN . IPv6 DUT 1) Silent drop

1 DUT DNS . FW Dual-Stack WWW Dual-Stack . Internet WLAN . IPv6 DUT 1) Silent drop IPv6 ICMPv6 no route 2) IPv6 ICMPv6 address unreachable 3) 2 Device DNS query IPv6 broken, time until fallback to IPv4 Comments sending

278 views • 6 slides
Common visualization Issues &amp; how to fix them Duen Horng (Polo) Chau Assistant

Common visualization Issues &amp; how to fix them Duen Horng (Polo) Chau Assistant

http://poloclub.gatech.edu/cse6242 CSE6242 / CX4242: Data &amp; Visual Analytics Common visualization Issues &amp; how to fix them Duen Horng (Polo) Chau Assistant Professor Associate Director, MS Analytics Georgia Tech

1.23k views • 64 slides

More recommend