When it comes to vulnerabilities, most people will think of the internet first. This is in fact the greatest source of danger, but by no means the only one, because malware or hackers can also exploit errors in other device connections.
3 Taiwanese security researchers, known as Sweyntooth have announced bugs in the implementation of Bluetooth low-energy technology in the system on-chips of various manufacturers. The good news: Before the release of their proof-of concept, the discoverers gave the producers time to provide patches. Four of the companies mentioned that they have already done this. In addition, the researchers consider only one of the security vulnerabilities to be critical, while the rest only freeze or crash the devices.
Bluetooth-Enabled Devices That Are Installing The Affected Chips
But there is also bad news: There are countless manufacturers on the market for Bluetooth-enabled devices that are installing the affected chips. It is therefore difficult to determine which and how many devices are vulnerable in this way. All device types from wearables and smart home applications to medical products are probably affected. It is also difficult to assess whether the patches are already available that have actually been imported.
The security researchers name seven chip manufacturers affected in their publication, but at the same time emphasize that their list is not exhaustive. Other manufacturers not mentioned are not necessarily safer. In addition, users must first check which chip has been installed in their device and then hope that the manufacturer of the device will also pass on the update from the chip manufacturer.
How Bad Are The Security Gaps Really?
First, let’s take a closer look at the critical vulnerability. This is a bug when connecting new devices via Bluetooth, which enables attackers to bypass the actually intended, secure authentication process. In this way, they could gain both read and write access. Fortunately, only one manufacturer’s chip is affected by this problem. In addition, the attacker must be in close proximity to the device to connect. Attacks from a distance are thus already ruled out.