Bluetooth Vulnerability Analysis

As part of Promenade’s services, we perform vulnerability analyses of our clients' Bluetooth System on Chips (SoCs). The SoC Bluetooth might normally get overlooked because the SoC hardware and firmware may not be captured as part of a generated CBOM.  Several high-profile BLE and Bluetooth classic vulnerabilities have been published, and it is important to make sure your system cannot fall prey to them.

Bluetooth vulnerabilities generally affect either Bluetooth Low Energy (BLE) or Bluetooth classic. For example, BrakTooth is a high-profile Bluetooth classic vulnerability, whereas SweynTooth affects only BLE. One CVE (Common Vulnerabilities and Exposures) can be present on multiple vender SoCs, as they will often share the same Bluetooth stack.  

Example: Tracking Vulnerabilities for a Specific Part

A client is using an Infineon (formerly Cypress) part CYBLE-416045-2, BLE 5.0.  This part uses the Cypress PSoC® 63 BLE silicon, and the BLE middleware stack Library is listed as v3.60. To search for vulnerabilities, we use several online sources, including the NIST National Vulnerability database for CVEs, and the specific SoC manufacturer's website.  Typically, the part manufacturer has a site addressing CVE status.

 The NIST Database

We searched the NIST database for Cypress Bluetooth vulnerabilities, and 9 vulnerabilities were listed:

NIST Database for Cypress Bluetooth Vulnerabilities

Removing the non-BLE vulnerabilities reduced the list to 4:

  • cve-2020-11957 – High severity score
  • cve-2019-13916 – High severity score
  • cve-2019-16336 – Medium severity score
  • cve-2019-17061- Medium severity score

The SoC Manufacturer Information:

Looking at published information from Infineon, we can find security bulletins here on their site.

For most of the NIST-listed [MS2] vulnerabilities, a security bulletin describes the resolution status.  For example, selecting the CVE-2019-017061 and CVE-2019-16336 bulletin, we can get the following detailed information:

Security Bulletin from Infineon

Notice that the NIST database lists only PSoC4, but the Infineon acknowledges that it affects PSoC6 as well.  This is a great example of why it is necessary to verify information across different sources. We see we are using the BLE middleware v3.60, which has these vulnerabilities resolved in ModusToolbox 2.x.

For CVE-2019-13917 this security bulletin is available from Infineon. Consistent with the NIST database, this only affects specific part numbers, and CYBLE-416045-2 is not on  the list.


Security Bulletin from Infineon

One of the NIST listed vulnerabilities, CVE-2020-11957, does not have a security bulletin from Infineon. The NIST database calls out BLE 4.2, and our client is using BLE 5.0. While it is not 100% conclusive, it appears that this vulnerability is not applicable for our client.


Checking for vulnerabilities in your system’s Bluetooth SoC is both important and a bit challenging. Multiple sources should be used to make sure the information is consistent and that no CVEs are left unresolved. This evaluation should be also be done regularly when the product is in production to catch newly discovered vulnerabilities.

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science and following with Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CypherMed Cloud is SOC2 Type II certified.