Collectively named SweynTooth, the vulnerabilities can be used by an attacker in Bluetooth range can crash affected devices, force a reboot by sending them into a deadlock state, or bypass the secure BLE pairing mode and access functions reserved for authorized users.
Devices running on SoCs from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor are impacted by SweynTooth. However, SoCs from other vendors may contain SweynTooth flaws.
A group of three researchers (Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang) from the Singapore University of Technology and Design found the vulnerabilities in 15 SoCs from the aforementioned vendors, six of them being unpatched at the moment of the disclosure.
The trio verified their findings on multiple electronic products powered by the vulnerable SoCs. Among them are Fitbit Inspire smartwatch, products from smart home vendor Eve Systems, (Light Switch, Eve Motion MKII, Eve Aqua, Eve Thermo MKII, Eve Room, Eve Lock, Eve Energy), August Smart Lock, CubiTag tracker for lost items, and eGee Touch smart lock.
A cursory search for other products running on one of the vulnerable circuits showed returned 480 results. Most of them (307) have the CC2540 SoC from Texas Instruments, where a patch has been implemented.
However, the list includes products used in the healthcare industry, where a denial-of-service scenario could prove critical to a patient's life.
Some examples are the Azure XT DR MRI from Medtronic, the Syqe Inhaler from Syqe Medical, and the Blood Glucose Meter from VivaCheck Laboratories, all three powered by the still unpatched DA14580 SoC. Other products from these companies are in the same state.
The three researchers discovered the security flaws in 2019 and disclosed them responsibly to the affected vendors. They published technical details on a dedicated website after more than 90 days since informing the manufacturers.
The severity of each flaw in the SweynTooth depends on the type of product affected. A crash on a wearable or tracking device does not have the same impact as on a medical device.
Another important factor is that a threat actor needs to be in proximity to the device to send a payload that triggers the bug.
The researchers demonstrated their findings in two videos. The one below shows them crashing a Fitbit Inspire and sending a CubiTag tracker into a deadlock state:
In the second video the researchers show how they crashed an Eve Energy smart plug and an August Smart Lock:
2 Wheel Kick Scooter
While these vulnerabilities do not have a critical or a high severity impact for most of the vulnerable devices, they are still meaningful in the overall context Bluetooth communication and compliance with implementation standards of this technology.
The SweynTooth bug collection exposes attack vectors against BLE stacks that have passed multiple verifications and are believed to be safe from such flaws. However, the researchers found a possible explanation as to why this was possible:
"We believe this is due to the imposed isolation between the link layer and other Bluetooth protocols, via the Host Controller Interface (HCI) protocol. While such a strategy is reasonable for hardware compatibility, this adds complexity to the implementation. Moreover, it overly complicates the strategies to systematically and comprehensively test Bluetooth protocols. Specifically, during testing, it is complex to send arbitrary Link Layer messages during other protocol message exchanges. Such added complexity is likely the reason for inadequate security testing of BLE stack implementation."
Kids Skates, Skate Protector, Lime Scooter, Waveboard Skateboard - Jiufeng,https://www.skatesfactory.com/