This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

A suite of vulnerabilities related to devices using Low Energy (BLE) wireless communications protocol

Good afternoon,
Today we had a question about the certification of our product related to the reliability of communication.
We received a letter of the following content:

Dear colleagues,
 
FDA was made aware of a suite of vulnerabilities related to devices using Low Energy (BLE) wireless communications protocol. These reported vulnerabilities may allow actors to crash devices, reboot devices and force them into a “deadlocked” state, or bypass security features.
 
The vulnerabilities were published by a group of researcher on February 10th and FDA learned about this issue last week.
Probably this is the communication by the researchers: https://asset-group.github.io/disclosures/sweyntooth/ 
 
The affected chips identified so far are: Texas Instruments, Paddling, Cypress, ST Micro Electronics, Dialog, NXP, Semiconductors, Microchip, Telink Semiconductor – non-exhaustive list.
 
The exploit codes are available – not clear if online or only with the researchers. The researchers are being contacted.
 
It appears that these exploits may not be used directly from the internet, physical proximity to the device being necessary.
 
 
We have no further information but in the public domain there is the following article.
https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/ 
https://www.zdnet.com/article/unknown-number-of-bluetooth-le-devices-impacted-by-sweyntooth-vulnerabilities/ 
 
Useful resource listing products with :
https://launchstudio.bluetooth.com/Listings/Search 
 
 
You are strongly encouraged to contact your members and request them to start assessing the impact on their products portfolios

I would like to receive your comments regarding the detected vulnerabilities.

Bset regards,

Max

Parents
  • were you able to get a document to prove that nRF52 BLE stacks are not affected by any of the sweyntooth vulnerabilities ?

  • Hi, below the contents of the letter:

    Hi Maxim,
    
    All vulnerabilities have registered CVEs and are documented here:
    https://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf
    
    All CVEs identify the hardware and software platforms affected.  
    Nordic is not documented as an affected platform.
    The fact that our devices and software are unaffected is evidenced in the fact 
    we are not identified in the CVEs.  We do not need to issue an official statement to verify this, 
    it can be independently verified by anyone as the CVE database is public. 
    
    MACIEJ MICHNA | Regional Sales Manager
    M +48 600 439 203 | Kraków, Poland
    nordicsemi.com | devzone.nordicsemi.com 
    

Reply
  • Hi, below the contents of the letter:

    Hi Maxim,
    
    All vulnerabilities have registered CVEs and are documented here:
    https://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf
    
    All CVEs identify the hardware and software platforms affected.  
    Nordic is not documented as an affected platform.
    The fact that our devices and software are unaffected is evidenced in the fact 
    we are not identified in the CVEs.  We do not need to issue an official statement to verify this, 
    it can be independently verified by anyone as the CVE database is public. 
    
    MACIEJ MICHNA | Regional Sales Manager
    M +48 600 439 203 | Kraków, Poland
    nordicsemi.com | devzone.nordicsemi.com 
    

Children
No Data
Related