SWRA789 august 2023 CC1312R7 , CC1350 , CC1352P , CC1352P7 , CC1352R , CC1354P10 , CC1354R10 , CC2540 , CC2541 , CC2640 , CC2640R2F , CC2640R2F-Q1 , CC2640R2L , CC2642R , CC2642R-Q1 , CC2650 , CC2650MODA , CC2651P3 , CC2651R3 , CC2651R3SIPA , CC2652P , CC2652P7 , CC2652PSIP , CC2652R , CC2652R7 , CC2652RSIP
TI-PSIRT-2022-120154
A local attacker can insert itself during a reconnection between Bluetooth® LE GATT client and GATT server and succeed in sending indications or notifications to the GATT client even when the security requirements that were agreed upon during bonding is not met (for example, encryption with GATT server not enabled); thereby, compromising the security of the indications and notifications during a reconnection.
The GATT client tests per Bluetooth specification Version 5.3 and later, Vol3, Part C, Section 10.3.2.2 Handling of GATT indications and notifications does not check if IUT (Implementation Under Test) ignores notifications without establishing required security level after reconnection. Based on implementation, the GATT client can process indications and notifications from GATT server before the security requirements for the reconnection is met.
None
Part | Software Name | Software Version | BLE Stack Name | BLE Stack Version |
---|---|---|---|---|
CC2651P3, CC2651R3, CC2651R3SIPA, CC2642R, CC2652R, CC2652P, CC1352R, CC1352P,CC2652RSIP, CC2652PSIP, CC2642R-Q1, CC2652R7, CC2652P7, CC1312R7, CC1352P7 | SIMPLELINK-CC13XX-CC26XX-SDK: SimpleLink™ CC13xx and CC26xx software development kit (SDK) | v6.41.00.17 and earlier | BLE5-Stack | v2.02.07.00 and earlier |
CC2640R2F, CC2640R2L, CC2640R2F-Q1 | SIMPLELINK-CC2640R2-SDK: SimpleLink™ CC2640R2 SDK - Bluetooth® low energy | v5.30.00.03 and earlier | BLE-Stack | v3.03.08.00 and earlier |
BLE5-Stack | v1.01.14.00 and earlier | |||
CC1350 | SIMPLELINK-CC13X0-SDK: SimpleLink™ Sub-1 GHz CC13x0 Software Development Kit | v4.20.02.07 and earlier | BLE-Stack | v2.03.11.00 and earlier |
CC2640, CC2650, CC2650MODA | N/A | N/A | BLE-STACK-2-X | v2.02.07.06 and earlier |
CC2540, CC2541 | N/A | N/A | BLE-STACK-1-X | v1.05.02.00 and earlier |
To determine if your product is impacted, check the version of the SimpleLink SDK and BLE stack built into your product. This can be done by looking at the documentation included with SDK.
The potential vulnerability can impact Bluetooth® Low Energy devices (running the affected SDK versions) when configured as a Bluetooth Low Energy GATT Client using Bluetooth security modes and levels which require authentication and/or encryption in a connection with the bonded devices.
If the user application is using privacy for Bluetooth LE connections, then, the risk of this vulnerability is mitigated as only valid devices with known IRK (Identity Resolving Key) can establish connection / reconnection. Additionally, upon reconnection, if the GATT client is immediately increasing the security to the level agreed upon during bonding, the risks of this vulnerability is further mitigated.
The Bluetooth erratum changes propose GATT client role tests to be similar to their GATT server counterparts with the following steps:
The following table lists the SDK releases with mitigations that addresses the potential vulnerability. If using impacted SDKs for which fixes are available, upgrade to the version of the SDK with fixes, or a later version.
Affected SDK | First SDK version with mitigations | First BLE stack version with mitigations |
---|---|---|
CC13XX-26XX-SDK, BLE5-STACK | SimpleLink™ CC13xx CC26xx SDK (7.10.00.98) | v2.02.08.00 |
CC2340 SDK, BLE5-STACK | SimpleLink™ Low Power F3 SDK (7.10.00.35) | v3.02.01.00 |
CC2640R2, CC1350, CC26x0, CC25x0 SDK, BLE-STACK | Not supported (1) | Not supported (1) |
CC2640R2 SDK, BLE5-STACK | Not supported (1) | Not supported (1) |