A trio of boffins at Singapore University this week disclosed 12 security vulnerabilities affecting the Bluetooth Low Energy (BLE) SDKs offered by seven system-on-a-chip (SoC) vendors.
The flaws, collectively dubbed SWEYNTOOTH (because every bug has to have its own name these days), allow a suitably skilled attacker to crash or deadlock BLE devices, or to bypass pairing security to gain arbitrary read and write access to device functions.
The bug branding epithet comes from Sweyn Forkbeard, the son of King Harald "Bluetooth" Gormsson, the namesake of the wireless specification.
"SWEYNTOOTH potentially affects IoT products in appliances such as smart-homes, wearables and environmental tracking or sensing," explain Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang, in a research paper [PDF] describing the BLE bugs. "We have also identified several medical and logistics products that could be affected."
The SDKs at issue come from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor; they support BLE versions 4.1, 4.2, 5.0, and 5.1.
|Link Layer Length Overflow||CVE-2019-16336
|Silent Length Overflow||CVE-2019-17518||Dialog|
|Public Key Crash||CVE-2019-17520||Texas Instruments|
|Invalid Connection Request||CVE-2019-19193||Texas Instruments|
|Invalid L2CAP Fragment||CVE-2019-19195||Microchip|
|Sequential ATT Deadlock||CVE-2019-19192||STMicroelectronics|
|Key Size Overflow||CVE-2019-19196||Telink|
|Zero LTK Installation||CVE-2019-19194||Telink|
The researchers say they followed responsible disclosure practices by notifying as many affected vendors as they could and patches have been made available in some cases. About 480 products use the affected SoCs though not all are necessarily affected.
Devices verified to be vulnerable include the Fitbit Inspire smartwatch, the Eve Energy smart plug, the August Smart Lock, the eGee Touch TSA Lock, and the CubiTag item tracking tag.
There's PoC code and a video demonstrating how an attack might work:
Garbelini, Chattopadhyay, and Wang voiced concern about the potential impact on medical products.
"VivaCheck Laboratories, which manufactures blood glucose meters, has many products listed to use [Dialog's] DA14580," they say in their paper, "Hence all these products are potentially vulnerable to the Truncated L2CAP attack. Even worse, Syqe Medical Ltd. and their programmable drug delivery inhalation platform (Syqe Inhaler v01) is affected alongside the latest pacemaker related products from Medtronic Inc."
The boffins say that they're aware of additional bugs that they're not yet ready to make public. However, not all of the publicly disclosed flaws have been fixed, since vendors haven't moved in time for the disclosure deadline.
"We urge action from vendors due to the reliance of the BLE IoT market on such unpatched SoCs," the researchers say in their paper. "For example, August Home Inc and Eve Systems products rely almost entirely on DA14680, which is still unpatched even after a responsive disclosure period of more than 90 days."
The Dialog DA1469X, DA14585/6, and DA14580, the Microchip ATSAMB11, and the STMicroelectronics WB55 and BlueNRG-2 are also unpatched. ®