The Bluetooth Low Energy peripheral implementation on Texas Instruments SIMPLELINK-CC2640R2-SDK through 3.30.00.20 and BLE-STACK through 1.5.0 before Q4 2019 for CC2640R2 and CC2540/1 devices does not properly restrict the advertisement connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.
Recent assessments:
pbarry25 at April 23, 2020 9:30pm UTC reported:
This vuln is part of a related batch named SweynTooth from researchers at the Singapore University of Technology and Design. The SweynTooth vulnerabilities lie within certain Bluetooth Low Energy (BLE) SDKs for Systems-on-a-Chip (SoC), which can make proliferating fixes to affected devices in the field a slow going.
Vulnerable devices need to be within BLE radio range in order for an attacker to target. A successful exploit can leave the target in a deadlocked state (in this case, stuck in the โidleโ state), triggered by sending the vulnerable device either a truncated connection request OR a connection request with invalid โintervalโ or โtimeoutโ values of 0. While the condition of being stuck in the โidleโ state should be handled by the application layer (and transitioned to another state), not all devices correctly do so (at least one instance of โexample codeโ provided with the SDK did not handle this condition). In their testing, researchers were able to deadlock a eGeeTounch smart luggage lock containing this vulnerability, requiring a powercycle to resume normal operation. A detailed explanation can be found here in the original disclosure. It appears the SoC manufacturer has issued fixes for their vulnerable SDK(s).
EDIT: Attacker Value for this item largely depends on the type of device the vulnerable target is and behavior the device exhibits when successfully exploited.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4