A dirty dozen of Bluetooth bugs threaten to reboot, freeze, or hack your trendy gizmos from close range

Over the air? More like over the aarrrggghhh

Fitbit Inspire

A trio of boffins at Singapore University this week disclosed 12 security vulnerabilities affecting the Bluetooth Low Energy (BLE) SDKs offered by seven system-on-a-chip (SoC) vendors.

The flaws, collectively dubbed SWEYNTOOTH (because every bug has to have its own name these days), allow a suitably skilled attacker to crash or deadlock BLE devices, or to bypass pairing security to gain arbitrary read and write access to device functions.

The bug branding epithet comes from Sweyn Forkbeard, the son of King Harald "Bluetooth" Gormsson, the namesake of the wireless specification.

"SWEYNTOOTH potentially affects IoT products in appliances such as smart-homes, wearables and environmental tracking or sensing," explain Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang, in a research paper [PDF] describing the BLE bugs. "We have also identified several medical and logistics products that could be affected."

The SDKs at issue come from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor; they support BLE versions 4.1, 4.2, 5.0, and 5.1.

Vulnerability CVE(s) Vendor
Link Layer Length Overflow CVE-2019-16336
CVE-2019-17519
Cypress
NXP
LLID Deadlock CVE-2019-17061
CVE-2019-17060
Cypress
NXP
Truncated L2CAP CVE-2019-17517 Dialog
Silent Length Overflow CVE-2019-17518 Dialog
Public Key Crash CVE-2019-17520 Texas Instruments
Invalid Connection Request CVE-2019-19193 Texas Instruments
Invalid L2CAP Fragment CVE-2019-19195 Microchip
Sequential ATT Deadlock CVE-2019-19192 STMicroelectronics
Key Size Overflow CVE-2019-19196 Telink
Zero LTK Installation CVE-2019-19194 Telink

The researchers say they followed responsible disclosure practices by notifying as many affected vendors as they could and patches have been made available in some cases. About 480 products use the affected SoCs though not all are necessarily affected.

Devices verified to be vulnerable include the Fitbit Inspire smartwatch, the Eve Energy smart plug, the August Smart Lock, the eGee Touch TSA Lock, and the CubiTag item tracking tag.

There's PoC code and a video demonstrating how an attack might work:

Youtube Video

Garbelini, Chattopadhyay, and Wang voiced concern about the potential impact on medical products.

"VivaCheck Laboratories, which manufactures blood glucose meters, has many products listed to use [Dialog's] DA14580," they say in their paper, "Hence all these products are potentially vulnerable to the Truncated L2CAP attack. Even worse, Syqe Medical Ltd. and their programmable drug delivery inhalation platform (Syqe Inhaler v01) is affected alongside the latest pacemaker related products from Medtronic Inc."

The boffins say that they're aware of additional bugs that they're not yet ready to make public. However, not all of the publicly disclosed flaws have been fixed, since vendors haven't moved in time for the disclosure deadline.

"We urge action from vendors due to the reliance of the BLE IoT market on such unpatched SoCs," the researchers say in their paper. "For example, August Home Inc and Eve Systems products rely almost entirely on DA14680, which is still unpatched even after a responsive disclosure period of more than 90 days."

The Dialog DA1469X, DA14585/6, and DA14580, the Microchip ATSAMB11, and the STMicroelectronics WB55 and BlueNRG-2 are also unpatched. ®

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020