SweynTooth, targeting Bluetooth

    Bluetooth technology seems to be nearly everywhere now. It is an extremely convenient method to make all sorts of different devices speak the same language and perform greater functions. As we already know though, when computing devices can communicate trouble soon follows in one form or another. This week the details of 12 different security vulnerabilities, collectively called SweynTooth, targeting Bluetooth low energy devices became public. 11 of the 12 vulnerabilities are just denial of service vulnerabilities. The twelfth however allows a complete security bypass on affected devices.

    The group releasing the vulnerabilities is comprised of 3 researchers from the Singapore University of Technology and Design, Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang.
Most devices that implement Bluetooth connectivity do not implement it from the ground up. They instead rely on a specialized system on a chip (SoC) from a larger manufacturer to handle the inner Bluetooth workings and interface with it via a software development kit (SDK). The SDK can allow them to configure specific parameters for connectivity as well as receiving/sending information over the link. Due to most devices sharing SoCs with other devices it is no surprise that a vulnerability in a specific SoC may affect hundreds or thousands of otherwise unrelated devices.

    The vulnerabilities released this week affect SoCs from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor. The devices using these SoCs range from smart watches, smart locks, and even medical devices.

    As stated the majority of these vulnerabilities are able to trigger denial of service. They trigger a denial of service by sending specially crafted packets to the target device to put it into a deadlocked state where it can no longer process incoming or outgoing data.

    To make the device functional again a reboot is required. Most of these attacks require only 1 or 2 packets to be transmitted to exploit successfully. The most dangerous vulnerability of the set is CVE-2019-19194, which can allow an attacker to completely bypass secure communication protections. An attacker using this vulnerability may be able to access functions on the affected device as if they were an authorized user. This could lead to information leakage or even code execution in certain cases.

    This specific vulnerability only appears to affect the Telink SMP family of SoCs.
Before releasing the vulnerability details to the public the researchers followed responsible disclosure guidelines and notified the affected vendors. After 90 days the research went public, with 6 of the 12 vulnerabilities still without patches. When updates become available affected devices should be upgraded to prevent these attacks.

Sources:

  • https://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/
  • https://www.bleepingcomputer.com/news/security/sweyntooth-bug-collection-affects-hundreds-of-bluetooth-products/