Security experts have discovered multiple flaws, dubbed SweynTooth, in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.
A group of researchers has discovered multiple vulnerabilities, tracked as SweynTooth, in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.
The group was composed of researchers Matheus E.
The protocol Bluetooth Low Energy (BLE) was released in 2010 and it is designed to implement a new generation of services for mobile applications. The protocol specifically addresses power consumption of new applications, trying to reduce the draining of batteries in a condition of constantly transmitting signals.
Now experts found 12 vulnerabilities in the BLE software development kits (SDKs) of seven
Experts revealed that they have also identified several medical and logistics products that could be affected by the SweynTooth flaws.
The researchers already reported the flaws to the vendors, and most of them have already addressed them the issues
“
Experts confirmed that more issues are still under disclosure and that the list of impacted SoC vendors is longer, and the number of IoT products designed on top of vulnerable SoCs still need independent patches from their respective vendors.
“
Experts
- Crash: Vulnerabilities that remotely trigger hard faults forcing the device crash. Typically, these issues trigger memory corruption, such as a buffer overflow on
BLE reception buffer . - Deadlock: Vulnerabilities that affect the availability of the BLE connection without causing a hard fault or memory corruption. These issues usually occur due to some improper synchronization between user code and the SDK firmware distributed by the
SoC vendor, - Security Bypass: Vulnerabilities that could be exploited by attackers in radio range to bypass the latest secure pairing mode of
BLE . These issues are particularly dangerous because an attacker in the radio range has arbitrary read or write access todevice’s functions .
“The exploitation of the vulnerabilities translates to dangerous attack vectors against many IoT products released in 2018-2019. At first glance, most of the vulnerabilities affect product’s availability by allowing them to be remotely restarted, deadlocked or having their security bypassed. “continues the experts.
Making a quick search on the Bluetooth Listing Search site, experts discovered that around 480 product listings employ the affected SoCs, each of them containing several products.
A vulnerability named Link Layer Length Overflow impacts Cypress PSoC4/6 BLE Component 3.41/2.60 (CVE-2019-16336) and NXP KW41Z 3.40 SDK (CVE-2019-17519). The issue initially causes denial of service (
Below the list of the flaws:
- Link Layer LLID deadlock flaws, deadlock issued that affect Cypress (CVE-2019-17061) and NXP devices (CVE-2019-17060). The issues
impact the BLE communication between devices. - Truncated L2CAP (CVE-2019-17517) flaw, a crash issue that affects Dialog DA14580 devices running SDK 5.0.4 or earlier. The issue could trigger a
DoS condition causing the crash of the device, the same as Silent Length Overflow (CVE-2019-17518), which affects Dialog DA14680 devices. - Invalid Connection Request (CVE-2019-19195), a
DoS issue that affects the Texas Instruments CC2640R2 BLE-STACK and CC2540 SDKs. A similar issue is the Unexpected Public Key Crash (CVE-2019-17520) and affects Texas Instruments CC2640R2 BLE-STACK-SDK could lead toDoS and product restarts. - Sequential ATT Deadlock (CVE-2019-19192), a deadlock issue that affects STMicroelectronics WB55 SDK V1.3.0 and earlier. Invalid L2CAP fragment (CVE-2019-19195) that could be exploited by a remote attacker to restart running Microchip ATMSAMB11 BluSDK Smart v6
. 2 and earlier. - The Key Size Overflow vulnerability (CVE-2019-19196), a crash issue that impacts all Telink Semiconductor BLE SDKs.
- The security bypass flaw (CVE-2019-19194) in products using the Telink SMP implementation, which could be abused to completely bypass security in BLE products.
Below two video
At the time of the report. Dialog, Microchip and STMicroelectroncs have yet to release patches to address the flaws in the affected products.
“Our findings expose some fundamental attack vectors against certified and
|
(SecurityAffairs – SweynTooth, hacking)