Security researchers from the Singapore University of Technology and Design have published details on a family of 12 vulnerabilities, with more waiting in the wings, affecting Bluetooth Low Energy (BLE) implementations: SweynTooth.
"SweynTooth captures a family of 12 vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six major system-on-a-chip (SoC) vendors," researchers Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang, write of their disclosure in a release first spotted by Bleeping Computer. "The vulnerabilities expose flaws in specific BLE SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes and buffer overflows or completely bypass security depending on the circumstances.
"SweynTooth potentially affects IoT products in appliances such as smart homes, wearables and environmental tracking or sensing. We have also identified several medical and logistics products that could be affected. As of today, SweynTooth vulnerabilities are found in the BLE SDKs sold by major SoC vendors, such as Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.
"By no means, this list of SoC vendors is exhaustive in terms of being affected by SweynTooth," the researchers warn. "We have followed responsive disclosure during our discovery, which allowed almost all SoC vendors to publicly release their respective patches already. However, a substantial number of IoT products relying on the affected SoCs for BLE connectivity will still need to independently receive patches from their respective vendors, as long as a firmware update mechanism is supported by the vendor."
The SweynTooth family includes a dozen disclosed vulnerability across three categories: Crash vulnerabilities, which can restart or potentially hang affected devices; Deadlock vulnerabilities, which cause a hard fault or memory corruption requiring a manual power-off; and a single Security Bypass vulnerability, allowing attackers to ignore the Secure Connections feature of Bluetooth Low Energy in order to gain arbitrary read and write access to the device.
More information on the vulnerabilities, some of which have been patched by affected vendors, can be found on the SweynTooth disclosure; code to test and exploit the vulnerabilities, meanwhile, is available on Garbelini's GitHub repository.