Is the SweynTooth vulnerabilities addressed in nrf products?

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

Kenneth — Mon, 30 Mar 2020 11:34:11 GMT

[quote user="tomschreurs"]Did Nordic perform their own tests to see if their nRF chips are vulnerable?[/quote]

Yes, Nordic has both inspected source code and run the attack tools to double confirm all findings.

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

tomschreurs — Fri, 27 Mar 2020 13:36:25 GMT

Thanks for the info Kenneth. An official statement/communication in the form of an Informational Notice or similar would be very much appreciated though.

In response to brindusa below you mention "Nordic is not documented as an affected platform" and "The fact that our devices and software are unaffected is evidenced in the fact we are not identified in the CVEs". I don't agree with that. It could be a false negative, because I can't find in the article (https://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf) that Nordic chips were subjected to the same attacks/tests.

Did Nordic perform their own tests to see if their nRF chips are vulnerable?

Thank you

Tom

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

Henrik T — Wed, 18 Mar 2020 09:48:02 GMT

Based on your input above and the non-existence of a security IN for nRF8001, I assume that nRF8001 is also deemed not affected by SweynTooth.

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

Kenneth — Thu, 12 Mar 2020 09:23:35 GMT

All vulnerabilities have registered CVEs and are documented here:
https://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf

All CVEs identify the hardware and software platforms affected. Nordic is not documented as an affected platform.

The fact that our devices and software are unaffected is evidenced in the fact we are not identified in the CVEs. We do not need to issue an official statement to verify this, it can be independently verified by anyone as the CVE database is public.

In general:

I recommend to regularly check the PCN and IN section on infocenter, if there are any information we want you to be aware it will be listed there, for instance check out for the nRF52832 here:

https://infocenter.nordicsemi.com/topic/struct_nrf52/struct/nrf52832_pcn.html

At the same time check out the Errata section for any new issues that may have been identified that you should consider to handle in your application:

https://infocenter.nordicsemi.com/topic/struct_nrf52/struct/nrf52832_errata.html

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

brindusa — Thu, 12 Mar 2020 02:49:20 GMT

Is there an official communicate from Nordic regarding this assessment?

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

Henrik T — Tue, 10 Mar 2020 15:03:40 GMT

Hi Kenneth.

We have a released product with nRF8001-R2Q32-R, Build code D. Do you have a status on this?

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

Vishnu Pradeep — Thu, 05 Mar 2020 12:33:39 GMT

Thanks for the update.

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

MakotoW — Wed, 04 Mar 2020 02:27:55 GMT

OH I missed it.

Thank you very much.

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

Kenneth — Tue, 03 Mar 2020 13:41:32 GMT

I have updated the answer with final results of investigations.

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

MakotoW — Tue, 03 Mar 2020 04:17:49 GMT

I'm sorry for sudden reply.

How about "s120_nrf51_2.1.0" "s110_nrf51_8.0.0" "s120_nrf51_2.0.0" "s110_nrf51822_7.0.0" ?

We are using these version for mass-production.

I need any answer.

Kind regards.

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

MATHEUS — Mon, 24 Feb 2020 17:53:03 GMT

Thanks for the prompt action.

RE: Is the SweynTooth vulnerabilities addressed in nrf products?

Kenneth — Wed, 19 Feb 2020 11:52:41 GMT

Final update:

The investigation is now finished.

Nordic has determined:

- nRF51 SoftDevices are NOT affected by these attacks (S110, S120, S130 all versions)

- nRF52 SoftDevices are NOT affected by these attacks (S112, S113, S132, S140 all versions)