As part of Promenade’s services, we perform vulnerability analyses of our clients' Bluetooth System on Chips (SoCs). The SoC Bluetooth might normally get overlooked because the SoC hardware and firmware may not be captured as part of a generated CBOM. Several high-profile BLE and Bluetooth classic vulnerabilities have been published, and it is important to make sure your system cannot fall prey to them.
Bluetooth vulnerabilities generally affect either Bluetooth Low Energy (BLE) or Bluetooth classic. For example, BrakTooth is a high-profile Bluetooth classic vulnerability, whereas SweynTooth affects only BLE. One CVE (Common Vulnerabilities and Exposures) can be present on multiple vender SoCs, as they will often share the same Bluetooth stack.
Example: Tracking Vulnerabilities for a Specific Part
A client is using an Infineon (formerly Cypress) part CYBLE-416045-2, BLE 5.0. This part uses the Cypress PSoC® 63 BLE silicon, and the BLE middleware stack Library is listed as v3.60. To search for vulnerabilities, we use several online sources, including the NIST National Vulnerability database for CVEs, and the specific SoC manufacturer's website. Typically, the part manufacturer has a site addressing CVE status.
The NIST Database
We searched the NIST database for Cypress Bluetooth vulnerabilities, and 9 vulnerabilities were listed:
Removing the non-BLE vulnerabilities reduced the list to 4:
The SoC Manufacturer Information:
Looking at published information from Infineon, we can find security bulletins here on their site.
For most of the NIST-listed [MS2] vulnerabilities, a security bulletin describes the resolution status. For example, selecting the CVE-2019-017061 and CVE-2019-16336 bulletin, we can get the following detailed information:
Notice that the NIST database lists only PSoC4, but the Infineon acknowledges that it affects PSoC6 as well. This is a great example of why it is necessary to verify information across different sources. We see we are using the BLE middleware v3.60, which has these vulnerabilities resolved in ModusToolbox 2.x.
For CVE-2019-13917 this security bulletin is available from Infineon. Consistent with the NIST database, this only affects specific part numbers, and CYBLE-416045-2 is not on the list.
One of the NIST listed vulnerabilities, CVE-2020-11957, does not have a security bulletin from Infineon. The NIST database calls out BLE 4.2, and our client is using BLE 5.0. While it is not 100% conclusive, it appears that this vulnerability is not applicable for our client.
Checking for vulnerabilities in your system’s Bluetooth SoC is both important and a bit challenging. Multiple sources should be used to make sure the information is consistent and that no CVEs are left unresolved. This evaluation should be also be done regularly when the product is in production to catch newly discovered vulnerabilities.