Firmware Insider: Bluetooth Randomness is Mostly Random

TL;DR

This paper evaluates the quality of Bluetooth RNGs in popular chips, revealing widespread reliance on insecure fallback generators and providing tools for further testing of their security.

Contribution

It provides a comprehensive analysis of Bluetooth RNG implementations, highlighting security issues and offering measurement tools for public testing.

Findings

Most devices use insecure PRNG fallback

Popular devices rely on weak RNGs due to missing HRNG

Broadcom and Cypress HRNGs pass advanced statistical tests

Abstract

Bluetooth chips must include a Random Number Generator (RNG). This RNG is used internally within cryptographic primitives but also exposed to the operating system for chip-external applications. In general, it is a black box with security-critical authentication and encryption mechanisms depending on it. In this paper, we evaluate the quality of RNGs in various Broadcom and Cypress Bluetooth chips. We find that the RNG implementation significantly changed over the last decade. Moreover, most devices implement an insecure Pseudo-Random Number Generator (PRNG) fallback. Multiple popular devices, such as the Samsung Galaxy S8 and its variants as well as an iPhone, rely on the weak fallback due to missing a Hardware Random Number Generator (HRNG). We statistically evaluate the output of various HRNGs in chips used by hundreds of millions of devices. While the Broadcom and Cypress HRNGs pass advanced tests, it remains indistinguishable for users if a Bluetooth chip implements a secure RNG without an extensive analysis as in this paper. We describe our measurement methods and publish our tools to enable further public testing.