This repository is part of a research outcome from the ASSET Research Group.
SweynTooth captures a family of 12 vulnerabilities (more under non-disclosure) across different Bluetooth Low Energy (BLE) software development kits (SDKs) of six major system-on-a-chip (SoC) vendors. The vulnerabilities expose flaws in specific BLE SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes and buffer overflows or completely bypass security depending on the circumstances.
You can check more information about the vulnerabilities, available patches and affected devices on ASSET Research Group SweynTooth disclosure website.
Fitbit, August Smart Lock, Eve Energy, CubiTag and other "Smart" things are affected.
- Fitbit Inspire Crash & CubiTag deadlock - https://www.youtube.com/watch?v=Iw8sIBLWE_w
- Eve Energy & August Smart Lock crash - https://www.youtube.com/watch?v=rge1XeJVpag&t=6s
This PoC uses well maintained libraries such as Scapy and Colorama. The BLE packet crafting and dissection is done via customized Scapy protocol layers (bluetooth4LE and bluetooth.py). There's a merge in progress to include our additions in Scapy's main repository.
SweynTooth uses the Nordic nRF52840 Dongle to send/receive raw link layer packets to and from the vulnerable peripheral over the air. It is necessary to flash the driver firmware to the board before starting the Python 2.7 scripts.
The binary of our firmware code is on the nRF52_driver_firmware.zip file. You need to install nrfutil tool to flash the firmware on the board. Remember to put the nRF52840 on DFU mode before flashing (reset the USB dongle while it is connected to your PC by pressing the reset button). You can run the following commands to install the Python dependencies and to flash the firmware:
python -m pip install nrfutil pyserial
nrfutil dfu usb-serial -p COM_PORT -pkg nRF52_driver_firmware.zipThe scripts work on Linux or Windows. You just need to change the COM_PORT parameter to match the nRF52840 port name. You can alternatively flash the firmware by using the nRF Connect App for Desktop, which gives a nice interface to flash the firmware.
After the requirements are installed, you can run an exploit script by executing the following command:
python Telink_key_size_overflow.py COM7 A4:C1:38:D8:AD:A9The first argument is the serial port name (generally /dev/ttyACM0 on Linux) and the second is the address of the vulnerable BLE device. You can use any BLE scanner or the nRF Connect App to discover such address.
Taking as example the Key Size Overflow vulnerability, the following output is given by the script if the vulnerable device hangs after the crash:
Each exploit script corresponds to one flaw. The following summary table captures the correspondence between the vulnerability and a script to exploit the vulnerability on the affected SoCs.
| Vulnerability | CVE(s) | Vendor | Script file |
|---|---|---|---|
| Link Layer Length Overflow | CVE-2019-16336 CVE-2019-17519 |
Cypress NXP |
link_layer_length_overflow.py |
| LLID Deadlock | CVE-2019-17061 CVE-2019-17060 |
Cypress NXP |
llid_dealock.py |
| Truncated L2CAP | CVE-2019-17517 | Dialog | DA14580_exploit_att_crash.py |
| Silent Length Overflow | CVE-2019-17518 | Dialog | DA14680_exploit_silent_overflow.py |
| Public Key Crash | CVE-2019-17520 | Texas Instruments | CC2640R2_public_key_crash.py |
| Invalid Connection Request | CVE-2019-19193 | Texas Instruments | CC_connection_req_crash.py |
| Invalid L2CAP Fragment | CVE-2019-19195 | Microchip | Microchip_invalid_lcap_fragment.py |
| Sequential ATT Deadlock | CVE-2019-19192 | STMicroelectronics | sequential_att_deadlock.py |
| Key Size Overflow | CVE-2019-19196 | Telink | Telink_key_size_overflow.py |
| Zero LTK Installation | CVE-2019-19194 | Telink | TBA |
Generally, products using the affected SoCs employ a watchdog to automatically restart the BLE SoC in the case a fault occurs, hence not all products can be deadlocked. Nevertheless, it should be possible to get some visual or audio indication from the product if the same crashes and restarts.
The folder captures contains some sample captures of each vulnerability. We have also added some noncompliance cases detected in some SoCs.
This research was partially supported by Keysight Technologies.