A group of researchers has discovered multiple vulnerabilities, tracked as SweynTooth, in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.
The group was composed of researchers Matheus E.
The protocol Bluetooth Low Energy (BLE) was released in 2010 and it is designed to implement a new generation of services for mobile applications. The protocol specifically addresses power consumption of new applications, trying to reduce the draining of batteries in a condition of constantly transmitting signals.
Now experts found 12 vulnerabilities in the BLE software development kits (SDKs) of seven
Experts revealed that they have also identified several medical and logistics products that could be affected by the SweynTooth flaws.
The researchers already reported the flaws to the vendors, and most of them have already addressed them the issues
Experts confirmed that more issues are still under disclosure and that the list of impacted SoC vendors is longer, and the number of IoT products designed on top of vulnerable SoCs still need independent patches from their respective vendors.
“The exploitation of the vulnerabilities translates to dangerous attack vectors against many IoT products released in 2018-2019. At first glance, most of the vulnerabilities affect product’s availability by allowing them to be remotely restarted, deadlocked or having their security bypassed. “continues the experts.
Making a quick search on the Bluetooth Listing Search site, experts discovered that around 480 product listings employ the affected SoCs, each of them containing several products.
A vulnerability named Link Layer Length Overflow impacts Cypress PSoC4/6 BLE Component 3.41/2.60 (CVE-2019-16336) and NXP KW41Z 3.40 SDK (CVE-2019-17519). The issue initially causes denial of service (
Below the list of the flaws:
Below two video
At the time of the report. Dialog, Microchip and STMicroelectroncs have yet to release patches to address the flaws in the affected products.
“Our findings expose some fundamental attack vectors against certified and
(SecurityAffairs – SweynTooth, hacking)