Security researchers have discovered numerous vulnerabilities in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.
BLE is a wireless communication technology designed to reduce the battery drainage of mobile and Internet of Things (IoT) devices. Consisting of a set of standardized protocols, BLE provides connectivity between peripherals and a user’s smartphone or notebook.
The BLE software development kits (SDKs) of six major SoC vendors contain many vulnerabilities that could be triggered by attackers within Bluetooth range.
These issues impact smart homes, wearables, and environmental tracking or sensing systems, and possibly affect medical and logistics products as well, security researchers Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang from the Singapore University of Technology and Design explain.
The researchers have detailed a total of 12 vulnerabilities they refer to as “SweynTooth,” but note that more exist — they cannot be disclosed yet. Impacted vendors, which include Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor, have been notified, and almost all of them already released patches.
However, the list of impacted SoC vendors is longer, and “a substantial number of IoT products” that use the affected SoCs still need independent patches from their respective vendors, the researchers say.
“SweynTooth highlights concrete flaws in the BLE stack certification process. We envision substantial amendments to the BLE stack certification to avoid SweynTooth style security flaws. We also urge SoC vendors and IoT product manufacturers to be aware of such security issues and to initiate focused effort in security testing,” the whitepaper reads.
Based on the type and behavior of the affected BLE devices, the SweynTooth vulnerabilities are classified as crash flaws (can lead to the ..
Support the originator by clicking the read the rest link below.
