A Dozen Vulnerabilities Affect Millions of Bluetooth LE Powered Devices

A team of cybersecurity researchers late last week disclosed the existence of 12 potentially severe security vulnerabilities, collectively named 'SweynTooth,' affecting millions of Bluetooth-enabled wireless smart devices worldwide—and worryingly, a few of which haven't yet been patched.

All SweynTooth flaws basically reside in the way software development kits (SDKs) used by multiple system-on-a-chip (SoC) have implemented Bluetooth Low Energy (BLE) wireless communication technology—powering at least 480 distinct products from several vendors including Samsung, FitBit and Xiaomi.

According to the researchers, hackers in close physical proximity to vulnerable devices can abuse this vulnerability to remotely trigger deadlocks, crashes, and even bypass security in BLE products, allowing them to arbitrary read or write access to device's functions that are otherwise only allowed to be accessed by an authorized user.

"As of today, SweynTooth vulnerabilities are found in the BLE SDKs sold by major SoC vendors, such as Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor," the researchers from the Singapore University of Technology and Design said.


Here is a list and brief information on all 12 SweynTooth vulnerabilities:

• Link Layer Length Overflow (CVE-2019-16336, CVE-2019-17519) — These allow attackers in radio range to trigger a buffer overflow by manipulating the LL Length Field, primarily leading to a denial of service attacks.
• Link Layer LLID deadlock (CVE-2019-17061, CVE-2019-17060) — These trigger deadlock state when a device receives a packet with the LLID field cleared.
• Truncated L2CAP (CVE-2019-17517) — This flaw results due to a lack of checks while processing an L2CAP packet, causing a denial of service and crash of the device.
• Silent Length Overflow (CVE-2019-17518) — A buffer overflow occurs when a certain packet payload with higher than expected LL Length is sent, the peripheral crashes.
• Invalid Connection Request (CVE-2019-19195) — When devices do not properly handle some connection parameters while the central attempts a connection to the peripheral, they could lead to Deadlock state.
• Unexpected Public Key Crash (CVE-2019-17520) — This bug is present in the implementation of the legacy pairing procedure, which is handled by the Secure Manager Protocol (SMP) implementation, and can be used to perform DoS and possibly restart products.
• Sequential ATT Deadlock (CVE-2019-19192) — This flaw lets attackers deadlock the peripheral by sending just two consecutive ATT request packets in each connection event.
• Invalid L2CAP fragment (CVE-2019-19195) — improper handling of the PDU size of the packets can lead to deadlock behavior.
• Key Size Overflow (CVE-2019-19196) — This overflow in the device memory issue is a combination of multiple bugs found during the pairing procedure of devices, resulting in a crash.
• Zero LTK Installation (CVE-2019-19194) — This critical vulnerability is a variation of one of the Key Size Overflow. It affects all products using Telink SMP implementation with support for secure connection enabled.

The detailed report says affected products include consumer electronics, smart home devices, wearables, and are also being used in the logistics and healthcare industry, malfunctioning of which can lead to hazardous situations.


"The most critical devices that could be severely impacted by SweynTooth are the medical products. VivaCheck Laboratories, which manufacture Blood Glucose Meters, has many products listed to use DA14580," the researchers said.

"Hence all these products are potentially vulnerable to the Truncated L2CAP attack. Even worse, Syqe Medical Ltd. and their programmable drug delivery inhalation platform (Syqe Inhaler v01) is affected alongside the latest pacemaker related products from Medtronic Inc."

According to the report, researchers disclosed these flaws last year to all affect vendors, many of which have now released patches for their respective SoCs.

Wheres, products developed by some SoC vendors, including Dialog, Microchip, and STMicroelectronics, are unpatched at the time of the disclosure.