TI PSIRT

Report potential product security vulnerabilities

About TI PSIRT

At TI, we set a high priority on the security of our products. However, as we all know, no matter how much effort is put into product security, no product or customer system can be 100% secure. TI wants to learn about any potential security issues impacting our products so that we can take the necessary steps to promptly address them. TI’s Product Security Incident Response Team (PSIRT) oversees the process of accepting and responding to reports of potential security vulnerabilities involving TI semiconductor products, including hardware, software and documentation.

How to report a potential security vulnerability

You can contact the TI PSIRT to report a potential security vulnerability at psirt@ti.com. Your report should be in English. TI will respond in a timely manner to confirm receipt of your email. 

Vulnerability information is extremely sensitive. The TI PSIRT strongly recommends that all submitted security vulnerability reports be sent encrypted, using the TI PSIRT PGP/GPG Key:

  • Fingerprint: 898C ECC3 451F 9438 D972  06B6 4C13 1A0F 9AF0 04D8
  • Public Key File (ZIP, 3 KB)

 

Free software to read and author PGP/GPG encrypted messages may be obtained from:

Recommended information to include in your report

To help the TI PSIRT perform triage of the potential security vulnerability, it is recommended that you provide the following information:

  • TI hardware or software products potentially affected (including version or revision)
  • How and when the potential vulnerability was discovered, and by whom
  • Technical description of the potential vulnerability, including any related (1) known exploits and (2) existing CVE ID(s)
  • Your contact information, so that TI is able to ask any necessary follow-up questions

Report handling process

Once submitted, TI follows the following process to evaluate and respond to the potential security vulnerability:

  1. Notification: TI becomes aware of a potential security vulnerability.
  2. Initial triage: TI reviews the submission to determine whether a TI product may be affected and whether sufficient information has been provided.
  3. Technical analysis: TI investigates the reported potential vulnerability in greater technical    depth.[1]
  4. Remediation: TI takes appropriate action for verified product security vulnerability.
  5. Disclosure: Where apporpriate, TI discloses information about the verified vulnerability and may make available the remediation e.g. in a security advisory or a bulletin. 

 

[1] TI will score the vulnerability using CVSS (Common Vulnerability Scoring System) v3.0, so that the vulnerability is properly prioritized for analysis and remediation. A CVE (Common Vulnerabilities and Exposures) ID for the vulnerability may be created, as needed. 

Responsible handling policy

Like most in the technology industry, TI PSIRT follows a responsible handling policy.  Our policy describes what you can expect from TI and our expectation from you. It is based on the CERT® Guide to Coordinated Vulnerability Disclosure. Before you submit a report, please review our policy as it describes the basis of our relationship with you.

Security bulletins

Below you will find public information about security vulnerabilities and our available mediations.

Incident ID
Description
Publication date
(YYYY-MM-DD)
TI-PSIRT-2018-060007 BLE-STACK Heap Overflow Issue 2018-11-01
TI-PSIRT-2019-010018 BT (BR/EDR) SIG Errata 11838 - LMP Encryption Key Minimum Size Change 2019-08-20
TI-PSIRT-2019-050023 CC256x and WL18xx Bluetooth Low Energy - LE scan vulnerability (CVE-2019-15948) 2019-11-12
TI-PSIRT-2019-060025 CC254x OAD: AES CTR crypto implementation vulnerability 2019-11-12
TI-PSIRT-2019-060032 CC254x OAD: AES-CBC MAC verification vulnerability 2019-11-12
TI-PSIRT-2019-100034 Bluetooth Low Energy – unexpected public key crash (SweynTooth, CVE-2019-17520) 2020-02-19
TI-PSIRT-2019-100036 Bluetooth Low Energy – Invalid Connection Request (SweynTooth, CVE-2019-19193)
2020-02-19
TI-PSIRT-2019-080030 Variable Time Tag Comparison on SimpleLink™ Devices 2020-02-28
TI-PSIRT-2020-020038 Bluetooth Low Energy, Basic Rate/Enhanced DataRate – Method Confusion Pairing Vulnerability (CVE-2020-10134) 2020-05-18
TI-PSIRT-2020-040043 Bluetooth Basic Rate/Enhanced Data Rate –Bluetooth Impersonation Attacks (BIAS, CVE-2020-10135) 2020-05-18
TI-PSIRT-2020-060056 Bluetooth® Low Energy – Missing Length Check for UNPI Packets Over SPI on CC1350 and CC26x0 Devices 2020-10-07
TI-PSIRT-2020-100078 Amnesia Open-Source TCP/IP Stack Vulnerabilities (AMNESIA:33) 2020-12-21
TI-PSIRT-2020-070058 Potential Heap Overflow Vulnerabilities in TI Z-Stack Zigbee Cluster Library (ZCL) Parsing Functions 2021-01-22
TI-PSIRT-2020-080063 Bluetooth® Low Energy – Updating Connection MTU Size During an Ongoing OAD Operation May Cause Buffer Overflow 2021-03-01
TI-PSIRT-2020-100073 SimpleLink™ Wi-Fi® CC32xx/CC31xx SDK and SimpleLink MSP432E4 SDK Integer and Buffer Overflow Issues 2021-04-29
TI-PSIRT-2020-100074 SimpleLink™ CC13XX, CC26XX, CC32XX and MSP432E4 Integer Overflow Issues 2021-04-29
TI-PSIRT-2020-100076 Integer and Buffer Overflow Issues – TI-NDK 2021-04-29
TI-PSIRT-2020-090066 FragAttacks - FRagmentation and AGgregation Attacks 2021-05-11
TI-PSIRT-2020-100068 Bluetooth® SIG Erratum – Impersonation in the Passkey Entry Protocol 2021-05-23
TI-PSIRT-2020-100069 Bluetooth® SIG Erratum – Authentication of the LE Legacy Pairing Protocol 2021-05-23
TI-PSIRT-2020-090070 Bluetooth® Low Energy, Basic Rate/Enhanced Data Rate – PIN-Code Pairing Key Derivation 2021-05-23
TI-PSIRT-2020-080064 Boot Image Manager (BIM) Potential Security Vulnerabilities in CC13x2, CC26x2, CC2640R2 Devices 2021-05-24
TI-PSIRT-2021-040098 InjectaBLE: Injecting Malicious Traffic Into Established Bluetooth® Low Energy Connections (CVE-2021-31615) 2021-06-22
TI-PSIRT-2021-050100 Bluetooth® Classic – BrakTooth V12 Vulnerability 2021-12-30
TI-PSIRT-2021-100116 Physical security attacks against silicon devices 2022-01-31
TI-PSIRT-2021-100117 Integrated HTTP server ping utility vulnerability 2022-02-15
TI-PSIRT-2022-100125 Texas Instruments 802.15.4 Stack: Absence of Frame Counter Validation in SM Configuration 2022-06-08
TI-PSIRT-2022-100118 Missing ECC Input Validations on CC1310 and CC1350 Devices 2022-06-13
TI-PSIRT-2022-050133 SimpleLink™ MSP432E4 Upper Level Memory Protection Issue 2022-09-14
TI-PSIRT-2022-100128
Texas Instruments Wi-SUN® Stack: Absence of Frame Counter Validation
2023-05-12
TI-PSIRT-2022-090141 SimpleLink CC32XX SDK Integer Overflow Issues 2023-08-01
TI-PSIRT-2021-100120 WiLink WL18xx PN Reuse Issue 2023-08-03
TI-PSIRT-2022-120160 Buffer Overflow in WL18xx MCP Driver 2023-08-10
TI-PSIRT-2022-090143 Bluetooth LE Secure Pairing Peripheral Devices Can Fail Connection With Central 2023-08-28
TI-PSIRT-2022-120154 Bluetooth SIG Erratum - Incoming Notification/Indication Tests Upon Reconnection for GATT Client are Invalid 2023-08-28
TI-PSIRT-2023-040180
MSP430FR5xxx and MSP430FR6xxx IP Encapsulation Write Vulnerability 2023-08-29
TI-PSIRT-2023-080189 C2000 DCSM ROM Gadget/ROP Vulnerability 2023-11-13
TI-PSIRT-2023-08198 TI Bluetooth: Invalid RPA Leading to DoS for Bonded Devices (CVE-2023-52709) 2024-10-09

TI PSIRT discloses information publicly where appropriate; this should not be considered a comprehensive list of incidents that we have handled. Inquiries regarding specific incidents can be addressed to psirt@ti.com.

Media inquiries

Media inquiries regarding the security of TI products may be directed to news.ti.com.