SweynTooth: Bluetooth Vulnerabilities Expose Many Devices to Attacks
Security researchers have discovered numerous vulnerabilities in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.
BLE is a wireless communication technology designed to reduce the battery drainage of mobile and Internet of Things (IoT) devices. Consisting of a set of standardized protocols, BLE provides connectivity between peripherals and a user’s smartphone or notebook.
The BLE software development kits (SDKs) of six major SoC vendors contain many vulnerabilities that could be triggered by attackers within Bluetooth range.
These issues impact smart homes, wearables, and environmental tracking or sensing systems, and possibly affect medical and logistics products as well, security researchers Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang from the Singapore University of Technology and Design explain.
The researchers have detailed a total of 12 vulnerabilities they refer to as “SweynTooth,” but note that more exist — they cannot be disclosed yet. Impacted vendors, which include Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor, have been notified, and almost all of them already released patches.
However, the list of impacted SoC vendors is longer, and “a substantial number of IoT products” that use the affected SoCs still need independent patches from their respective vendors, the researchers say.
“SweynTooth highlights concrete flaws in the BLE stack certification process. We envision substantial amendments to the BLE stack certification to avoid SweynTooth style security flaws. We also urge SoC vendors and IoT product manufacturers to be aware of such security issues and to initiate focused effort in security testing,” the whitepaper reads.
Based on the type and behavior of the affected BLE devices, the SweynTooth vulnerabilities are classified as crash flaws (can lead to the remote crashing of a device by triggering hard faults), deadlock (affecting the availability of the BLE connection, usually due to poor synchronization), and security bypass (provides an attacker in the radio range with arbitrary read or write access to a device’s functions).
“The exploitation of the vulnerabilities translates to dangerous attack vectors against many IoT products released in 2018-2019. At first glance, most of the vulnerabilities affect product’s availability by allowing them to be remotely restarted, deadlocked or having their security bypassed,” the whitepaper reads.
A search on the Bluetooth Listing Search site returns around 480 product listings that employ the affected SoCs, each listing containing multiple products from the same vendor. However, while the total number of different products affected is higher, not all products are guaranteed to be affected, the researchers say.
A vulnerability named Link Layer Length Overflow impacts Cypress PSoC4/6 BLE Component 3.41/2.60 (CVE-2019-16336) and NXP KW41Z 3.40 SDK (CVE-2019-17519). The issue initially causes denial of service (DoS), but “attackers could reverse engineer products firmware to possibly leverage remote execution,” the researchers say.
Link Layer LLID deadlock flaws can render Cypress (CVE-2019-17061) and NXP devices (CVE-2019-17060) in a deadlock state, affecting the BLE communication between devices.
A vulnerability dubbed Truncated L2CAP (CVE-2019-17517) affects Dialog DA14580 devices running SDK 5.0.4 or earlier and results in DoS and a crash, the same as Silent Length Overflow (CVE-2019-17518), which affects Dialog DA14680 devices.
Invalid Connection Request (CVE-2019-19195) affects the Texas Instruments CC2640R2 BLE-STACK and CC2540 SDKs, leading to DoS. A weakness named Unexpected Public Key Crash (CVE-2019-17520) affecting Texas Instruments CC2640R2 BLE-STACK-SDK could lead to DoS and product restarts.
Sequential ATT Deadlock (CVE-2019-19192) affects STMicroelectronics WB55 SDK V1.3.0 and earlier, leaving the product in a deadlock state in certain conditions. Invalid L2CAP fragment (CVE-2019-19195), which affects devices running Microchip ATMSAMB11 BluSDK Smart v6.2 and earlier, could be exploited to remotely restart devices.
The Key Size Overflow vulnerability (CVE-2019-19196) impacts all Telink Semiconductor BLE SDKs, allowing an attacker to crash devices.
A variation of the flaw is Zero LTK Installation (CVE-2019-19194), a critical issue in products using the Telink SMP implementation, which could be abused to completely bypass security in BLE products.
Some of the affected products include the 2018 smartwatch lineup from FitBit, Eve Systems smart home products, the CubiTag Bluetooth tracker, and the eGee Touch smart luggage lock. The security researchers also published two videos that demonstrate the vulnerabilities in some of these products.
The experts also note that critical devices likely impacted by SweynTooth are medical products from vendors such as VivaCheck Laboratories, Syqe Medical, and Medtronic.
While most of the affected vendors have already released patches, some SoCs did not receive a patch yet — such is the case for Dialog, Microchip and STMicroelectroncs. Product vendors are being independently contacted by each SoC manufacturer.
“Our findings expose some fundamental attack vectors against certified and recertified BLE Stacks which are supposed to be ‘safe’ against such flaws. We carefully investigated the reasons that might explain the presence of SweynTooth vulnerabilities on the affected SoCs. We believe this is due to the imposed isolation between the link layer and other Bluetooth protocols, via the Host Controller Interface (HCI) protocol,” the researchers note.