Millions of Bluetooth Devices Affected by SWEYNTOOTH Vulnerabilities

A family of vulnerabilities found in various Bluetooth Low Energy (BLE) development kits (SDKs) of seven major system-on-a-chip (SoC) affects millions of devices around the world, ranging from simple Bluetooth trackers to medical devices.

BLE is a communication protocol designed to limit power consumption, with a simple disadvantage: not much data can be sent. In theory, BLE is a secure connection, but that doesn’t mean it lacks vulnerabilities.

SWEYNTOOTH is a collection of vulnerabilities available through the official SDKs from all major vendors, such as Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. Researchers from the Singapore University of Technology and Design explained that this list of vendors is not complete, and other vendors are likely affected as well.

“We have followed responsive disclosure during our discovery, which allowed almost all SoC vendors to publicly release their respective patches already,” said the researchers. “However, a substantial number of IoT products relying on the affected SoCs for BLE connectivity will still need to independently receive patches from their respective vendors, as long as a firmware update mechanism is supported by the vendor.

Potential security problems fall into three categories, depending on the effect of the exploit. Vulnerabilities can cause a crash by triggering hard faults, a deadlock that affects availability of the BLE connection without causing a hard fault or memory corruption, and finally, a security bypass.

The security bypass is the most dangerous, as it would let attackers in radio range bypass the latest secure pairing mode of BLE, which would grant them arbitrary read or write access to the device.

The published research looked at five devices, including Fitbit Inspire, Eve Energy, August Smart Lock, CubiTag, and eGeeTouch, and found all of them were affected by SWEYNTOOTH to various degrees. The depth of the vulnerability depends very much on how the software is implemented on each device.

As for the medical field, vulnerable devices include a blood glucose meter, an inhaler, and even a pacemaker, but that list is probably much more extensive given how many SoC vendors are affected.

While many of the vendors fixed the issues before the vulnerabilities were made public, some companies have yet to issue patches, leaving all of their devices exposed.