Multiple Vulnerabilities in Bluetooth Low Energy (BLE) Devices

Published on 06 Mar 2020 | Updated on 09 Nov 2022

There is a public report on multiple vulnerabilities affecting a number of Bluetooth Low Energy (BLE) devices. These include internet of Things (IoT), smart-home, wearable, and medical devices utilising vulnerable BLE wireless communication software development kits (SDKs) such as pacemakers, blood glucose monitors.

These vulnerabilities expose flaws in specific BLE System on Chip (SoC) implementations that allow an attacker in close proximity to trigger deadlocks, crashes, buffer overflows, or the complete bypass of security on devices utilising BLE technology. The known BLE SoC manufacturers include Texas Instruments, NXP Semiconductors, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, Telink Semiconductor and Zephyr.

Table 1 provides information on the specific vulnerabilities.

Type of Vulnerability	Vulnerability Name	CVE (Score)	Impact	Affected Vendors
Crash	Link Layer Memory Corruption	CVE-2020-10061 (8.8)	Successful exploitation of this vulnerability could crash the device and the device could be remotely restarted.	Zephyr
	Link Layer Length Overflow	CVE-2019-16336 (6.5)	Successful exploitation of this vulnerability could crash the device by triggering hard faults and the device may restart.	Cypress
	Link Layer Length Overflow	CVE-2019-17519 (8.8)	Successful exploitation of this vulnerability could crash the device by triggering hard faults, resulting in a denial-of-service condition.	NXP Semiconductors
	Truncated L2CAP	CVE-2019-17517 (5.7)	Successful exploitation of this vulnerability could cause a denial-of-service condition and crash the device.	Dialog Semiconductors
	Silent Length Overflow	CVE-2019-17518 (6.5)		Dialog Semiconductors
	Public Key Crash	CVE-2019-17520 (6.5)	Successful exploitation of this vulnerability could cause a denial-of-service condition and the device may enter a deadlock state and require a manual restart.	Texas Instruments
	Invalid L2CAP Fragment	CVE-2019-19195 (6.5)	Successful exploitation of this vulnerability could crash the device by triggering hard faults and the device may restart.	Microchip
	Key Size Overflow	CVE-2019-19196 (6.5)	Successful exploitation of this vulnerability could allow attackers to crash the product or bypass encryption and leak user information.	Telink Semiconductor
Deadlock	HCI Desync Deadlock	CVE-2020-13595 (TBA)	Successful exploitation of this vulnerability could disrupt the BLE connection or even cause a deadlock in which a manual restart would be required.	Espressif Systems
	Channel Map Deadlock	CVE-2020-13594 (TBA)	Successful exploitation of this vulnerability could cause a denial of service condition. This could disrupt the BLE connection in which a manual restart would be required.	Microchip Technology
	Channel Map Deadlock	CVE-2020-10069 (TBA)	Successful exploitation of this vulnerability could cause a denial of service condition. This could disrupt the BLE connection in which a manual restart would be required.	Zephyr
	LLID Deadlock	CVE-2019-17061 (6.5)	Successful exploitation of this vulnerability could disrupt the BLE connection or even cause a deadlock in which a manual restart would then be required.	Cypress
	LLID Deadlock	CVE-2019-17060 (6.5)	Successful exploitation of this vulnerability could critically impair the availability of the device and require user to manually perform a power cycle.	NXP Semiconductors
	Sequential ATT Deadlock	CVE-2019-19192 (6.5)	Successful exploitation of this vulnerability could leave the device in a deadlock state and would require a manual restart.	STMicroelectronics
	Invalid Connection Request	CVE-2019-19193 (6.5)	Successful exploitation of this vulnerability could cause a denial-of-service condition. The device might enter a deadlock state and require a manual restart.	Texas Instruments
Security Bypass	DHCheck Skip	CVE-2020-13593 (TBA)	Successful exploitation of this vulnerability could allow illegitimate device pairing by initiating the encryption procedure early and skipping bypass security checks.	Texas Instruments
Security Bypass	Zero LTK Installation	CVE-2019-19194 (8.8)	Successful exploitation of this vulnerability could allow the attacker to have arbitrary read or write access to the device's functions.	Telink Semiconductor

Table 1. Vulnerability Details

Rating	CVSS Score
Critical	9.0 – 10.0
High	7.0 – 8.9
Medium	4.0 – 6.9
Low	0.1 – 3.9
None	0.0

Table 2. Qualitative Severity Rating Scale

Refer to the links below for patches which have been released by the BLE SoC manufacturers to address these vulnerabilities:

Cypress

Dialog Semiconductors (login required)

https://www.dialogsemiconductor.com/sweyntooth-bluetooth-low-energy-vulnerability

NXP Semiconductors (login required)

Texas Instruments

Zephyr

https://github.com/zephyrproject-rtos/zephyr

Customers of affected products are advised to update and install the available security updates from individual SoC manufacturers in a test development environment that reflects a production environment prior to installation. Customers are also advised to take note of the following considerations:

If no security update for your affected device is available, develop a plan to update the affected devices to the latest security patch when available.
Where feasible, evaluate the possibility and safety of disabling the use of BLE wireless communications protocol.
Vendors of affected devices and products should provide users with information on the affected products and recommendations on how to mitigate the vulnerabilities.

Organisations using the affected devices and products are advised to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Users of affected products can consider turning off BLE wireless communications protocol when not in use as a temporary mitigation method.

More information is available here:

https://asset-group.github.io/disclosures/sweyntooth/