Multiple Vulnerabilities in Bluetooth Low Energy (BLE) Devices

Published on 06 Mar 2020

Updated on 06 Mar 2020

There is a public report on multiple vulnerabilities affecting a number of Bluetooth Low Energy (BLE) devices. These include internet of Things (IoT), smart-home, wearable, and medical devices utilising vulnerable BLE wireless communication software development kits (SDKs) such as pacemakers, blood glucose monitors.

 

These vulnerabilities expose flaws in specific BLE System on Chip (SoC) implementations that allow an attacker in close proximity to trigger deadlocks, crashes, buffer overflows, or the complete bypass of security on devices utilising BLE technology. The known BLE SoC manufacturers include Texas Instruments, NXP Semiconductors, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor.

 

Table 1 provides information on the specific vulnerabilities.

 

Type of Vulnerability Vulnerability Name CVE (Score) Impact Affected Vendors
Crash Link Layer Length Overflow CVE-2019-16336 (6.5) Successful exploitation of this vulnerability could crash the device by triggering hard faults and the device may restart. Cypress
Link Layer Length Overflow CVE-2019-17519 (8.8) Successful exploitation of this vulnerability could crash the device by triggering hard faults, resulting in a denial-of-service condition. NXP Semiconductors
Truncated L2CAP CVE-2019-17517 (5.7) Successful exploitation of this vulnerability could cause a denial-of-service condition and crash the device. Dialog Semiconductors
Silent Length Overflow CVE-2019-17518 (6.5)
Public Key Crash CVE-2019-17520 (6.5) Successful exploitation of this vulnerability could cause a denial-of-service condition and the device may enter a deadlock state and require a manual restart. Texas Instruments
Invalid L2CAP Fragment CVE-2019-19195 (6.5) Successful exploitation of this vulnerability could crash the device by triggering hard faults and the device may restart. Microchip
Key Size Overflow CVE-2019-19196 (6.5) Successful exploitation of this vulnerability could allow attackers to crash the product or bypass encryption and leak user information. Telink Semiconductor
Deadlock LLID Deadlock CVE-2019-17061 (6.5) Successful exploitation of this vulnerability could disrupt the BLE connection or even cause a deadlock in which a manual restart would then be required. Cypress
LLID Deadlock CVE-2019-17060 (6.5) Successful exploitation of this vulnerability could critically impair the availability of the device and require user to manually perform a power cycle. NXP Semiconductors
Sequential ATT Deadlock CVE-2019-19192 (6.5) Successful exploitation of this vulnerability could leave the device in a deadlock state and would require a manual restart. STMicroelectronics
Invalid Connection Request CVE-2019-19193 (6.5) Successful exploitation of this vulnerability could cause a denial-of-service condition. The device might enter a deadlock state and require a manual restart. Texas Instruments
Security Bypass Zero LTK Installation CVE-2019-19194 (8.8) Successful exploitation of this vulnerability could allow the attacker to have arbitrary read or write access to the device's functions. Telink Semiconductor

Table 1. Vulnerability Details

 

Rating CVSS Score
Critical 9.0 – 10.0
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 0.1 – 3.9
None 0.0

Table 2. Qualitative Severity Rating Scale

 

Refer to the links below for patches which have been released by the BLE SoC manufacturers to address these vulnerabilities:

 

Cypress

Dialog Semiconductors (login required)

Microchip

NXP Semiconductors (login required)

Texas Instruments

             

Customers of affected products are advised to update and install the available security updates from individual SoC manufacturers in a test development environment that reflects a production environment prior to installation. Customers are also advised to take note of the following considerations:

  • If no security update for your affected device is available, develop a plan to update the affected devices to the latest security patch when available.

  • Where feasible, evaluate the possibility and safety of disabling the use of BLE wireless communications protocol.

  • Vendors of affected devices and products should provide users with information on the affected products and recommendations on how to mitigate the vulnerabilities.

 

Organisations using the affected devices and products are advised to perform proper impact analysis and risk assessment prior to deploying defensive measures.

 

Users of affected products can consider turning off BLE wireless communications protocol when not in use as a temporary mitigation method.

 

More information is available here:

https://asset-group.github.io/disclosures/sweyntooth/