- Home
- Alerts & Advisories
- Alerts
- Multiple Vulnerabilities in Bluetooth Low Energy (BLE) Devices
Alerts
Multiple Vulnerabilities in Bluetooth Low Energy (BLE) Devices
6 March 2020
There is a public report on multiple vulnerabilities affecting a number of Bluetooth Low Energy (BLE) devices. These include internet of Things (IoT), smart-home, wearable, and medical devices utilising vulnerable BLE wireless communication software development kits (SDKs) such as pacemakers, blood glucose monitors.
These vulnerabilities expose flaws in specific BLE System on Chip (SoC) implementations that allow an attacker in close proximity to trigger deadlocks, crashes, buffer overflows, or the complete bypass of security on devices utilising BLE technology. The known BLE SoC manufacturers include Texas Instruments, NXP Semiconductors, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, Telink Semiconductor and Zephyr.
Table 1 provides information on the specific vulnerabilities.
Multiple vulnerabilities
Type of Vulnerability | Vulnerability Name | CVE (Score) | Impact | Affected Vendors |
|---|---|---|---|---|
Crash | Link Layer Memory Corruption | CVE-2020-10061 (8.8) | Successful exploitation of this vulnerability could crash the device and the device could be remotely restarted. | Zephyr |
Link Layer Length Overflow | CVE-2019-16336 (6.5) | Successful exploitation of this vulnerability could crash the device by triggering hard faults and the device may restart. | Cypress | |
Link Layer Length Overflow | CVE-2019-17519 (8.8) | Successful exploitation of this vulnerability could crash the device by triggering hard faults, resulting in a denial-of-service condition. | NXP Semiconductors | |
Truncated L2CAP | CVE-2019-17517 (5.7) | Successful exploitation of this vulnerability could cause a denial-of-service condition and crash the device. | Dialog Semiconductors | |
Silent Length Overflow | CVE-2019-17518 (6.5) | |||
Public Key Crash | CVE-2019-17520 (6.5) | Successful exploitation of this vulnerability could cause a denial-of-service condition and the device may enter a deadlock state and require a manual restart. | Texas Instruments | |
Invalid L2CAP Fragment | CVE-2019-19195 (6.5) | Successful exploitation of this vulnerability could crash the device by triggering hard faults and the device may restart. | Microchip | |
Key Size Overflow | CVE-2019-19196 (6.5) | Successful exploitation of this vulnerability could allow attackers to crash the product or bypass encryption and leak user information. | Telink Semiconductor | |
Deadlock | HCI Desync Deadlock | CVE-2020-13595 (TBA) | Successful exploitation of this vulnerability could disrupt the BLE connection or even cause a deadlock in which a manual restart would be required. | Espressif Systems |
Channel Map Deadlock | CVE-2020-13594 (TBA) | Successful exploitation of this vulnerability could cause a denial of service condition. This could disrupt the BLE connection in which a manual restart would be required. | Microchip Technology | |
Channel Map Deadlock | CVE-2020-10069 (TBA) | Successful exploitation of this vulnerability could cause a denial of service condition. This could disrupt the BLE connection in which a manual restart would be required. | Zephyr | |
LLID Deadlock | CVE-2019-17061 (6.5) | Successful exploitation of this vulnerability could disrupt the BLE connection or even cause a deadlock in which a manual restart would then be required. | Cypress | |
LLID Deadlock | CVE-2019-17060 (6.5) | Successful exploitation of this vulnerability could critically impair the availability of the device and require user to manually perform a power cycle. | NXP Semiconductors | |
Sequential ATT Deadlock | CVE-2019-19192 (6.5) | Successful exploitation of this vulnerability could leave the device in a deadlock state and would require a manual restart. | STMicroelectronics | |
Invalid Connection Request | CVE-2019-19193 (6.5) | Successful exploitation of this vulnerability could cause a denial-of-service condition. The device might enter a deadlock state and require a manual restart. | Texas Instruments | |
Security Bypass | DHCheck Skip | CVE-2020-13593 (TBA) | Successful exploitation of this vulnerability could allow illegitimate device pairing by initiating the encryption procedure early and skipping bypass security checks. | Texas Instruments |
Zero LTK Installation | CVE-2019-19194 (8.8) | Successful exploitation of this vulnerability could allow the attacker to have arbitrary read or write access to the device's functions. | Telink Semiconductor |
Table 1. Vulnerability Details
Qualitative severity rating
Rating | CVSS Score |
|---|---|
Critical | 9.0 – 10.0 |
High | 7.0 – 8.9 |
Medium | 4.0 – 6.9 |
Low | 0.1 – 3.9 |
None | 0.0 |
Table 2. Qualitative Severity Rating Scale
Refer to the links below for patches which have been released by the BLE SoC manufacturers to address these vulnerabilities:
Cypress
Dialog Semiconductors (login required)
NXP Semiconductors (login required)
Texas Instruments
https://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/881879
https://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/881881
Zephyr
Customers of affected products are advised to update and install the available security updates from individual SoC manufacturers in a test development environment that reflects a production environment prior to installation. Customers are also advised to take note of the following considerations:
If no security update for your affected device is available, develop a plan to update the affected devices to the latest security patch when available.
Where feasible, evaluate the possibility and safety of disabling the use of BLE wireless communications protocol.
Vendors of affected devices and products should provide users with information on the affected products and recommendations on how to mitigate the vulnerabilities.
Organisations using the affected devices and products are advised to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Users of affected products can consider turning off BLE wireless communications protocol when not in use as a temporary mitigation method.
More information is available here: