SweynTooth Bluetooth flaws affect devices from major system-on-a-chip (SoC) vendors

Pierluigi Paganini February 15, 2020

Security experts have discovered multiple flaws, dubbed SweynTooth, in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.

A group of researchers has discovered multiple vulnerabilities, tracked as SweynTooth, in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.

The group was composed of researchers Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang from the Singapore University of Technology and Design.

The protocol Bluetooth Low Energy (BLE) was released in 2010 and it is designed to implement a new generation of services for mobile applications. The protocol specifically addresses power consumption of new applications, trying to reduce the draining of batteries in a condition of constantly transmitting signals.

Now experts found 12 vulnerabilities in the BLE software development kits (SDKs) of seven SoC vendors (Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor) that could be exploited to hack into various smart devices, including devices and environmental tracking or sensing systems.

Experts revealed that they have also identified several medical and logistics products that could be affected by the SweynTooth flaws.

The researchers already reported the flaws to the vendors, and most of them have already addressed them the issues

SweynTooth captures a family of 12 vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of seven major system-on-a-chip (SoC) vendors.” reads the analysis published by the researchers. “The vulnerabilities expose flaws in specific BLE SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes and buffer overflows or completely bypass security depending on the circumstances.”

Experts confirmed that more issues are still under disclosure and that the list of impacted SoC vendors is longer, and the number of IoT products designed on top of vulnerable SoCs still need independent patches from their respective vendors.

SweynTooth highlights concrete flaws in the BLE stack certification process. We envision substantial amendments to the BLE stack certification to avoid SweynTooth style security flaws. We also urge SoC vendors and IoT product manufacturers to be aware of such security issues and to initiate focused effort in security testing.” continues the experts.

Experts classified the SweynTooth flaws according to their types and their behaviours on the vulnerable devices, below the classes defined by the experts:

  • Crash: Vulnerabilities that remotely trigger hard faults forcing the device crash. Typically, these issues trigger memory corruption, such as a buffer overflow on BLE reception buffer.
  • Deadlock: Vulnerabilities that affect the availability of the BLE connection without causing a hard fault or memory corruption. These issues usually occur due to some improper synchronization between user code and the SDK firmware distributed by the SoC vendor,
  • Security Bypass: Vulnerabilities that could be exploited by attackers in radio range to bypass the latest secure pairing mode of BLE. These issues are particularly dangerous because an attacker in the radio range has arbitrary read or write access to device’s functions.

“The exploitation of the vulnerabilities translates to dangerous attack vectors against many IoT products released in 2018-2019. At first glance, most of the vulnerabilities affect product’s availability by allowing them to be remotely restarted, deadlocked or having their security bypassed.  “continues the experts.

Making a quick search on the Bluetooth Listing Search site, experts discovered that around 480 product listings employ the affected SoCs, each of them containing several products.

A vulnerability named Link Layer Length Overflow impacts Cypress PSoC4/6 BLE Component 3.41/2.60 (CVE-2019-16336) and NXP KW41Z 3.40 SDK (CVE-2019-17519). The issue initially causes denial of service (DoS), but “attackers could reverse engineer products firmware to possibly leverage remote execution,” the researchers say.

Below the list of the flaws:

  • Link Layer LLID deadlock flaws, deadlock issued that affect Cypress (CVE-2019-17061) and NXP devices (CVE-2019-17060). The issues impact the BLE communication between devices.
  • Truncated L2CAP (CVE-2019-17517) flaw, a crash issue that affects Dialog DA14580 devices running SDK 5.0.4 or earlier. The issue could trigger a DoS condition causing the crash of the device, the same as Silent Length Overflow (CVE-2019-17518), which affects Dialog DA14680 devices.
  • Invalid Connection Request (CVE-2019-19195), a DoS issue that affects the Texas Instruments CC2640R2 BLE-STACK and CC2540 SDKs. A similar issue is the Unexpected Public Key Crash (CVE-2019-17520) and affects Texas Instruments CC2640R2 BLE-STACK-SDK could lead to DoS and product restarts.
  • Sequential ATT Deadlock (CVE-2019-19192), a deadlock issue that affects STMicroelectronics WB55 SDK V1.3.0 and earlier. Invalid L2CAP fragment (CVE-2019-19195) that could be exploited by a remote attacker to restart running Microchip ATMSAMB11 BluSDK Smart v6.2 and earlier.
  • The Key Size Overflow vulnerability (CVE-2019-19196), a crash issue that impacts all Telink Semiconductor BLE SDKs.
  • The security bypass flaw (CVE-2019-19194) in products using the Telink SMP implementation, which could be abused to completely bypass security in BLE products.

Below two video PoCs published by the experts that show the exploitations of the issues in some products:

At the time of the report. Dialog, Microchip and STMicroelectroncs have yet to release patches to address the flaws in the affected products.

“Our findings expose some fundamental attack vectors against certified and recertified BLE Stacks which are supposed to be ‘safe’ against such flaws. We carefully investigated the reasons that might explain the presence of SweynTooth vulnerabilities on the affected SoCs. We believe this is due to the imposed isolation between the link layer and other Bluetooth protocols, via the Host Controller Interface (HCI) protocol,” the researchers conclude.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SweynTooth, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment