Bluetooth chips must include a Random Number Generator (RNG). This RNG is used internally within cryptographic primitives but also exposed to the operating system for chip-external applications. In general, it is a black box with security-critical authentication and encryption mechanisms depending on it. In this paper, we evaluate the quality of RNGs in various Broadcom and Cypress Bluetooth chips. We find that the RNG implementation significantly changed over the last decade. Moreover, most devices implement an insecure Pseudo-Random Number Generator (PRNG) fallback. Multiple popular devices, such as the Samsung Galaxy S8 and its variants as well as an iPhone, rely on the weak fallback due to missing a Hardware Random Number Generator (HRNG). We statistically evaluate the output of various HRNGs in chips used by hundreds of millions of devices. While the Broadcom and Cypress HRNGs pass advanced tests, it remains indistinguishable for users if a Bluetooth chip implements a secure RNG without an extensive analysis as in this paper. We describe our measurement methods and publish our tools to enable further public testing.

中文翻译：

---

固件内幕：蓝牙随机性大多是随机的

蓝牙芯片必须包含一个随机数发生器 (RNG)。该 RNG 在加密原语内部使用，但也暴露给操作系统以用于芯片外部应用程序。通常，它是一个黑匣子，具有依赖于它的安全关键身份验证和加密机制。在本文中，我们评估了各种 Broadcom 和 Cypress 蓝牙芯片中 RNG 的质量。我们发现 RNG 的实现在过去十年中发生了显着变化。此外，大多数设备实现了不安全的伪随机数生成器 (PRNG) 回退。由于缺少硬件随机数生成器 (HRNG)，多种流行设备，例如三星 Galaxy S8 及其变体以及 iPhone，都依赖于弱回退。我们统计评估了数亿台设备使用的芯片中各种 HRNG 的输出。虽然 Broadcom 和 Cypress HRNG 通过了高级测试，但用户仍然无法区分蓝牙芯片是否实现了安全 RNG，而无需像本文那样进行广泛的分析。我们描述了我们的测量方法并发布了我们的工具，以实现进一步的公开测试。