2 min read

Millions of Bluetooth Devices Affected by SWEYNTOOTH Vulnerabilities

Silviu STAHIE

February 19, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Millions of Bluetooth Devices Affected by SWEYNTOOTH Vulnerabilities

A family of vulnerabilities found in various Bluetooth Low Energy (BLE) development kits (SDKs) of seven major system-on-a-chip (SoC) affects millions of devices around the world, ranging from simple Bluetooth trackers to medical devices.

BLE is a communication protocol designed to limit power consumption, with a simple disadvantage: not much data can be sent. In theory, BLE is a secure connection, but that doesn’t mean it lacks vulnerabilities.

SWEYNTOOTH is a collection of vulnerabilities available through the official SDKs from all major vendors, such as Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. Researchers from the Singapore University of Technology and Design explained that this list of vendors is not complete, and other vendors are likely affected as well.

“We have followed responsive disclosure during our discovery, which allowed almost all SoC vendors to publicly release their respective patches already,” said the researchers. “However, a substantial number of IoT products relying on the affected SoCs for BLE connectivity will still need to independently receive patches from their respective vendors, as long as a firmware update mechanism is supported by the vendor.

Potential security problems fall into three categories, depending on the effect of the exploit. Vulnerabilities can cause a crash by triggering hard faults, a deadlock that affects availability of the BLE connection without causing a hard fault or memory corruption, and finally, a security bypass.

The security bypass is the most dangerous, as it would let attackers in radio range bypass the latest secure pairing mode of BLE, which would grant them arbitrary read or write access to the device.

The published research looked at five devices, including Fitbit Inspire, Eve Energy, August Smart Lock, CubiTag, and eGeeTouch, and found all of them were affected by SWEYNTOOTH to various degrees. The depth of the vulnerability depends very much on how the software is implemented on each device.

As for the medical field, vulnerable devices include a blood glucose meter, an inhaler, and even a pacemaker, but that list is probably much more extensive given how many SoC vendors are affected.

While many of the vendors fixed the issues before the vulnerabilities were made public, some companies have yet to issue patches, leaving all of their devices exposed.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits
Silviu STAHIE

January 31, 2023

1 min read
Hackers steal 10 million customer details from JD Sports Hackers steal 10 million customer details from JD Sports
Graham CLULEY

January 30, 2023

2 min read
North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022 North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022
Silviu STAHIE

January 25, 2023

1 min read