A team of researchers from Singapore University of Technology and Design has identified a number of dangerous issues in the Bluetooth Low Energy (BLE) SDK developed by SoC (System-on-a-Chip, System-on-Chip) manufacturers. Vulnerabilities are collectively called SweynTooth .
The main danger is that various companies manufacturing IoT devices and other smart devices buy SoC from vendors and use them as a base around which they build their devices. Mentioned SDKs are provided by SoC manufacturers to provide support for BLE (a version of the Bluetooth protocol created specifically to shorten the Bluetooth activity of the device and thereby minimize battery drain).
After testing several SoC chipsets, experts identified a total of 12 different vulnerabilities. Last week, along with the publication of a report on SweynTooth, researchers revealed the names of six SoC manufacturers who have already released updated versions of their BLE SDKs and fixed bugs. These are Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.
Unfortunately, these are by no means all manufacturers whose BLE SDKs are vulnerable to SweynTooth bugs. Researchers promise to gradually update their list, adding new names to it, as manufacturers patch their products.
Vulnerable products, alas, there are many: according to analysts, vulnerable BLE SDKs are currently used in at least 480 products for end-users. This long list includes fitness bracelets, smart sockets, locks, pet trackers, smart home systems, alarms, blood glucose meters, and other wearable and medical devices. The list also includes some popular brands, such as FitBit, Samsung and Xiaomi. Even worse, the researchers themselves admit that this list is likely to be replenished.
All 12 SweynTooth vulnerabilities can be divided into three groups according to the effect of their exploitation: attacks that lead to a malfunction of the device; attacks that entail rebooting the device, after which it is blocked and stops responding; attacks that allow you to bypass defense mechanisms and take control of the device.
The only good news, in this case, is the fact that all attacks on SweynTooth problems should be carried out in close physical proximity to the victim, that is, in the BLE coverage area. Exploit vulnerabilities remotely over the Internet will not work. Demo examples of attacks can be seen below.
Experts note that the corrections that developers are now making in their BLE SDKs are likely to reach end users soon. The fact is that for this, SoC manufacturers must first contact the device manufacturers, which, in turn, must distribute the patches on their products (by updating the firmware). But many vulnerable devices are sold as white-labeled devices, under other brands, so the supply chain, in this case, can hardly be called short and transparent.