IS MY PASSION RANDOMNESS Firmware Insider Bluetooth ...€¦ · BCM4335C0 Google Nexus 5 2.7GB...
Transcript of IS MY PASSION RANDOMNESS Firmware Insider Bluetooth ...€¦ · BCM4335C0 Google Nexus 5 2.7GB...
Firmware InsiderBluetooth Randomness is Mostly Random
Jörn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias HollickTechnische Universität Darmstadt, Germany
RANDOMNESSIS MY PASSION
2
???
3
How to acquire randomness?
A: 42 B: Random Access Memory
C: Random Only Memory D: Hardware RNG
4
RNG Variants 2 and 3
Device Chip Date Variant HRNG Location PRNG Cache
Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No
MacBook 2016 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No
CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 8 registers
Yes, breaks after 32 elements
CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 5 registers
Yes (with minor fixes)
5
RNG Variant 2
As seen on the MacBook Pro 2016 (BCM20703A2) and more...
● HRNG mapped to 0x314004
● Three 4 byte registers
● Inline PRNG fallback
● No cache
6
RNG Variant 2, PRNG Fallback
As seen on the MacBook Pro 2016 (BCM20703A2) and more...
● HRNG mapped to 0x314004
● Three 4 byte registers
● Inline PRNG fallback
● No cache
7
How random is the PRNG?
PRNG measurements taken on a Google Nexus 5 (BCM4335C0).
8
CVE Time!
...got assigned CVE-2020-6616 :)
9
Responsible Disclosure
We: Why would you introduce and maintain a PRNG if you had a proper HRNG?
Broadcom: Why should we use a PRNG when there is a HRNG in all of our devices?
???
10
11
Let’s take a look at a few more devices...
12
Measuring the HRNG
@fxrh says that Dieharder requires at least 1GB of data...
13
Optimizations
● Find a large free memory chunk that is not used while the chip is idle.… a region of 0x5000 bytes worked on most chips :D
● Record 4 bytes RNG output, add 0x42 as test byte in case another process writes to the same memory region.
● Asynchronous HCI event once the measurement is finished—no polling!
● Overwrite original rbg_rand function with return 0.
● Fix Launch_RAM on Google Nexus 6P, iPhone 7,CYW20719, CYW20735, CYW20819.
14
HRNG MeasurementsChip Device Samples Dieharder
BCM4335C0 Google Nexus 5 2.7GB Passed
BCM4358A3 Samsung Galaxy S6, Google Nexus 6P 2.1GB Passed
BCM43430A1 Raspberry Pi 3/Zero W 1.3GB Passed
BCM4345C0 Raspberry Pi 3+/4 1.4GB Passed
BCM4345B0 iPhone 6 1.8GB Passed
BCM4355C0 iPhone 7 1.0GB Passed
CYW20719B1 Evaluation Board 1.4GB Passed
CYW20735B1 Evaluation Board 1.6GB Passed
CYW20819A1 Evaluation Board 1.2GB Passed
BCM2046A2 iMac Late 2009 — ✓ HRNG
BCM20703A1 MacBook Pro early 2015 — ✓ HRNG
BCM4375B1 Samsung Galaxy S10/S20 — ✓ HRNG
BCM4347B1 iPhone 8/X/XR — ✓ HRNG
BCM4378B1 iPhone 11 — ✓ HRNG
15
But what about the variants???● Firmware is a raw binary.
● BinDiff finds ~6% matches (Nexus 5, no symbols).
● Any missing function changes statistics on the call graph etc.○ IDA 6.8 and Ghidra are a bit more aggressive in finding ARM instructions than
IDA 7.2, but they also find a lot false positives.○ Amnesia is way too aggressive.
● Feeding correct function starts/ends into IDA 7.2 with currentBinDiff provides perfect results, but we only have that forthe Cypress evaluation boards.
● Polypyus works well as long as the compiler optionswere the same. But this is not the case here.
https://github.com/seemoo-lab/polypyus
16
RNG Variant #1
Device Chip Date Variant HRNG Location PRNG Cache
iMac Late 2009 2007 1 0xE9A00, 3 regs Minimal (inline) No
MacBook 2011 Jul 9 2008 1 0xE9A00, 3 regs Minimal (inline) No
Asus USB Dongle Feb (?) 2010 1 0xEA204, 3 regs Minimal (inline) No
uint32 rbg_prng_fallback(void) { return clock ^ ((16 * static_register + 180) << 20) ^ static_value [4 * static_register ]}
17
More Chips of Variant 2 and 3
Device Chip Date Variant HRNG Location PRNG Cache
Google Nexus 5 Dec 11 2012 2 0x314004, 3 regs Yes (inline) No
iPhone 6 Jul 15 2013 2 0x314004, 3 regs Yes (inline) No
MacBook Pro early 2015 Dec 23 2013 2 0x314004, 3 regs Yes (inline) No
Raspberry Pi 3/Zero W Jun 2 2014 2 0x352600, 3 regs Yes (inline) No
Raspberry Pi 3+/4 Aug 19 2014 2 0x314004, 3 regs Yes (inline) No
Samsung Galaxy S6, Google Nexus 6P Oct 23 2014 2 0x314004, 3 regs Yes (inline) No
iPhone SE Jan 27 2015 2 0x314004, 3 regs Yes (inline) No
MacBook/iMac 2017-2019 Aug 21 2015 2 0x352600, 3 regs Yes (inline) No
iPhone 7 Sep 14 2015 2 0x352600, 3 regs Yes (inline) No
MacBook 2016/2017, iMac 2017 Oct 22 2015 2 0x314004, 3 regs Yes (inline) No
CYW20719B1 Jan 17 2017 2 0x352600, 3 regs Yes (inline) No
CYW20735B1 Jan 18 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 8 registers Yes, breaks after 32 elements
CYW20819A1 May 22 2018 3 0x352600, 3 regs Yes (rbg_get_psrng), 5 registers Yes (with minor fixes)
18
Variant 5
Device Chip Date Variant HRNG Location PRNG Cache
iPhone 8/X/XR Oct 11 2016 Variant #3Complete rework of rbg_ library,but still using sha128 wrapper
0x352600, 4 regs None Asynchronous 32x cache
Samsung Galaxy S10/S20 Apr 13 2018 Variant #3 0x352600, 4 regs None Asynchronous 32x cache
iPhone 11 Oct 25 2018 Variant #3 0x602600, 4 regs None Asynchronous 32x cache
19
Variant 4: Samsung Galaxy S8/S8+/Note 8
Device Chip Date Note HRNG Location PRNG Cache
Samsung Galaxy S8 Jun 3 2016 FAIL! FAIL! FAIL! - Only option
https://xkcd.com/221/
20
iOS 13.5 Updates
Bluetooth
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic
Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.
CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab
https://support.apple.com/en-us/HT211168
21
Variant 4: PRNG Inputs
22
Time Inputs
Hardware clock (timer1value) and Bluetooth clock (dc_nbtc_clk).
...crash only attacks become relevant again!
23
Signal Processing Inputs (1)
dc_fhout as histogram and over time.
24
Signal Processing Inputs (2)
rxInitAngle and agcStatus also have a lot of variety ;)
25
Where is randomness used anyway?
Just here and there…Like, everything that has to do with authentication and encryption.
26
Active MITM on Numeric Comparison
27
Android m)
28
Filling the private ECDH key directly from BLE rand...
https://android.googlesource.com/platform/system/bt/+/e410eeb88ee09844cb705c46ec726a73461d704c/stack/smp/smp_keys.cc
29
The Patch (June 2020 Patchlevel)
30
Lessons Learned
● Don’t trust an embedded RNG, it might be a bad PRNG.
● Excessive measurements and reverse-engineering are required to verify RNG quality.
● Each Broadcom firmware version has individual bugs <3
31
Credits
● @matedealer for surviving a thesis with me.
● Felix @fxrh for anything crypto.
● Matthias Hollick, my boss, for making it possible to order “some” hardware.
● Jakob Link from the Nexmon team (@nexmon_dev) for a remote setup to the Samsung Galaxy S8.
● Matthias Ringwald, Maximilian Tschirschnitz and Teal Starsong for reading our paper last minute and discussing some attacks.