Bluetooth LE devices impacted by SweynTooth vulnerabilities

BLE software kits from six chipset vendors impacted. More vendor names to be revealed soon.

SweinTooth

A team of academics from Singapore has published this week a research paper detailing a collection of vulnerabilities named SweynTooth that impact devices running the Bluetooth Low Energy (BLE) protocol.

More specifically, the SweynTooth vulnerabilities impact the software development kits (SDKs) responsible for supporting BLE communications.

These BLE SDKs are provided by vendors of system-on-a-chip (SoC) chipsets.

Companies that make IoT or smart devices buy these SoCs and use them as the base chipset around which they build their devices. They use the BLE SDK provided by the SoC maker to support communications via BLE, a version of the Bluetooth protocol designed to use less enegery in order to minimize battery drainage on mobile and Internet of Things (IoT) devices.

Six vendors impacted so far. More to follow.

This week, three researchers from the Singapore University of Technology and Design (SUTD) said they've spent last year testing BLE SDKs from several vendors of SoC chipsets.

Researchers said they found 12 bugs (aka the SweynTooth vulnerabilities) that impact these BLE SDKs, which they've reported privately to the SoC vendors.

This week, they revealed the names of six SoC vendors which have currently released new versions of their BLE SDKs that contain patches against SweynTooth attacks.

The six vendors that have been named this week include SoC makers like Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor

"By no means, this list of SoC vendors is exhaustive in terms of being affected by SweynTooth," the researchers said, adding that new SoC vendors will be added to the list in the future as they release patches.

What products are impacted?

The extent of these vulnerabilities is enormous. According to researchers, the vulnerable BLE SDKs have been used in over 480 end-user products.

This list includes products of the likes of fitness tracking bracelets, smart plugs, smart door locks, smart locks, pet trackers, smart home systems, smart lighting solutions, alarm clocks, glucose meters, and various other wearables and medical devices.

The list is comprehensive, and even includes some popular brands like FitBit, Samsung, and Xiaomi.

Furthermore, the list of 480 products is likely to grow as the research team reveals new SoC vendor names in the coming year.

It is currently near impossible to estimate the actual number of devices that run vulnerable BLE implementations, and which are now exposed to one or more of the 12 SweynTooth attacks.

What do the SweynTooth attacks do?

Per the research team, the 12 SweynTooth vulnerabilities can be grouped together based on the effect of their exploitation.

Per the table below, we have three categories of SweynTooth attacks:

  • Attacks that crash devices
  • Attacks that reboot devices and force them into a frozen (deadlocked) state
  • Attacks that bypass security features and allow hackers to take control of devices
sweintooth-flaws.png

The biggest SweynTooth donwside is that BLE SDK patches provided by the SoC vendors will take a while to make their way downstream to the actual user-owned devices.

Patches provided by the SoC vendor will have to reach device manufactures, which will then have to deliver it to devices via a firmware update. Because some device manufacturers sell white-labeled products that ship with a different brand on the case, it may take a while for the patches to reach users, if they don't get lost or severely delayed in complicated software supply chains.

The only positive thing about SweynTooth is that exloiting any of these vulnerabilities cannot be done over the internet, requiring the attacker to be in physical proxmity to the device, in its respective BLE range, which is usually pretty small.

Additional details about the SweynTooth vulnerabilities are available in a white paper titled "SweynTooth: Unleashing Mayhem over Bluetooth Low Energy," or on this dedicated website.