Posts

Broadcom Bluetooth: Generating (not so?) random numbers

Image
When looking into the most recent Bluetooth patches of the Samsung Galaxy Note 20 5G, I found something interesting. Once again, it's about the Random Number Generator (RNG). Jörn, Felix and me already published a WOOT paper about this last year. But there were some updates since then, which will be covered in this blog post. Oh, and it also contains assembly for the curious reverse engineer, additional honest opinions (I hope reviewer 2 will never find my blog), rants, and explanations for people who are new to Bluetooth. If you already saw the talk or read the paper, you might want to skip forward to "The unexpected patch". But you will miss some ranting!!!11! Why should anyone look into a random number generator? A RNG is one of those dragons that live deep inside the firmware or even hardware. Just don't look at them. Otherwise, something might break :) The Bluetooth Core Specification , currently at version 5.2, specifies that a Bluetooth chip has to provide a F

Broadcom Bluetooth: Unpatching the unpatchable

Image
Due to some vulnerabilities found recently, Broadcom started to see the "Bluetooth host -> Bluetooth controller" communication as an attack surface. In Bluetooth terminology, the host is the operating system with a Bluetooth daemon, e.g. iOS or Android, and the controller is Broadcom's Bluetooth chip. A lot of manufacturers see that as attack surface - to protect their intellectual property or to prevent that people use their smartphone as software-defined radio. Moreover, it raises the bar for initial exploit development. Other manufacturers protect their chips with secure boot. This means that they sign their firmware. The chip has a minimal bootloader, which loads the vendor's firmware for that chip, checks the signature, and then boots it. Thus, for a lot of chips, the first step is to find a secure boot bypass or to find a vendor/device that has secure boot disabled. Broadcom had an interesting idea on that, for both Bluetooth and Wi-Fi chips. They store their

Decent low-cost OBS setup

Image
A lot of people asked me about my OBS setup. So I'm releasing a few details here. Feel free to ask questions in case I forgot anything. Recording on a laptop Yes, I'm recording my videos on a laptop. Initially, I tried a 5 year old X1 Yoga running Linux. While this works okay-ish, once I used a dual camera setup, my recordings sometimes had very low frames per second and other weird effects. Using the cheapest MacBook Pro 2019 model (the 1.4 GHz variant with 8 GB RAM), recording works after a reboot and closing all other programs, even when running two OBS instances at once. Since upgrading to a MacBook Pro 2020 (2 GHz, 16 GB RAM) all these issues are gone. Always make a couple of test recordings that last longer than a minute to see if your laptop can handle the load. I had to re-record one of my talks that I recorded on the X1 Yoga because 5 frames per second and lagging audio didn't make me happy ;) Smartphone camera Webcams suck. Even the one in my MacBook Pro 2020. If

Your critical infrastructure bug won't be fixed and this is why

Image
Water, electricity, transportation—all of them are critical infrastructures. In Germany, everything classified as part of a critical infrastructure has to conform to security and safety guidelines. I had some nightmares^Wexperiences with these in the past. And I decided to only work on projects classified as critical infrastructure if I could do defensive research, despite being a mostly offensive security researcher. This blog post outlines why offensive critical infrastructure research is a bad idea, and is also a long rant about an article that will be released in a German magazine on December 19th. Sorry for ranting!!!!1!11 Critical infrastructure security Critical infrastructure is regulated and has to follow various certifications. Disclaimer, I'm not an expert on this. However, certifications are both good and bad: Everything classified as critical infrastructure has to pass various tests, ensuring it is safe and secure. Such tests are limited in scope and prevent the abilit

Supervising B.Sc./M.Sc. theses

What to expect from supervising students So far, I supervised approximately 30 B.Sc./M.Sc. students. My supervision style might not work for everyone—but it turned out to work quite well for the average chaotic nerd with an interest in IT security. When deciding to supervise a thesis, many people think this could be a great workforce in accelerating their PhD. I didn't have that illusion, as my M.Sc. thesis co-supervisor told me that he had a ratio of 1/3 of the students actually helping him with research, and the others just being more supervision overhead than what they got in return. Depending on your research topic this ratio is quite accurate. In fact, not supervising theses, working on your own whenever possible, and carefully selecting with whom you're going to collaborate might be the better career advice for finishing your PhD within a short time. Nonetheless, being a good thesis supervisor can be very rewarding and you will learn a lot. While most think a PhD is