Zephyr OS Bluetooth Vulns Left Smart Devices Open To Attack

Vulnerabilities in the Zephyr real-time operating system’s Bluetooth stack have been identified, leaving a wide variety of Internet of Things devices open to attack – unless upgraded to a patched version of the OS.

A security advisory released by Synopsys this afternoon highlights eight key vulnerabilities in Zephyr’s Bluetooth Low Energy (BLE) software stack. The least serious of these can lead to a denial-of-service attack by deadlocking the target device; the most serious allow for information leakage or, potentially, remote code execution.

The vulnerabilities, discovered through use of Synopsys’s Defensics fuzzing software, are exploitable when the devices are in advertising mode and accepting connections from remote devices – putting a wide range of gadgets at risk.

“Devices like smart watches, fitness trackers, or medical sensors (e.g., continuous glucose monitoring sensors) are in a peripheral role and in advertising mode to make it possible for phones to connect,” Matias Karhumaa, senior software engineer at the Synopsys Cybersecurity Research Centre, told The Register.

“Typically, the Bluetooth Low Energy range is up to 100 metres. However, Bluetooth LE long-range mode, which was introduced in the Bluetooth 5 specification, may provide a range of up to 1km.”

Fuzzy fuzzing

Karhumaa has been working on Bluetooth security for some time. “My proposed Master’s thesis project topic was to research and implement a new method to enable the fuzzing of the Bluetooth Low Energy Link Layer,” he explained. “As a result, we are now reporting these vulnerabilities which were identified using the solution developed as part of my Master’s thesis.

“Fuzz testing is a black box testing methodology in which the fuzzer feeds purposely malformed input into a target system and monitors whether the target system is able to handle the input without crashing or otherwise misbehaving.”

Using this approach Karhumaa was able to discover eight key vulnerabilities in the Zephyr Bluetooth stack, each one of which can be exploited remotely. In some cases, successful exploitation simply reboots the target device – annoying in the instance of a smartwatch or fitness tracker, potentially dangerous for medical devices.

In other cases, the vulnerability can hang the entire device until manually rebooted. There are those, too, which allow for disclosure of supposedly-protected information albeit a mere six bytes at a time, which Karhumaa told us makes it difficult to use as a practical attack for password or encryption key retrieval – or even remote execution of arbitrary code.

“In general,” Karhumaa noted, “I tend to recommend that organisations not spend too much time trying to figure out whether the vulnerability really is exploitable or not. Rather, we work to make it easy to identify, reproduce, and resolve the bugs regardless of their exploitability.”

Zephyr 2.6.0 a recommended upgrade

The vulnerabilities were reported to Zephyr back in March this year, with fixes being rolled into Zephyr 2.6.0 on 5 June 2021. Those running earlier versions of Zephyr on Bluetooth-capable devices should upgrade now – something which is easier said than done in a market where manufacturers all too often abandon support of existing products in favour of building an upgraded replacement.

“Overall, yes, vendors need to work to improve how quickly they’re able to deliver firmware updates to resolve security vulnerabilities,” Karhumaa offered on this latter point.

“Zephyr has done a great job defining their security policy which ensures they provide security updates to their LTS [Long-Term Support] releases and for the two latest non-LTS releases. Zephyr project members using Zephyr in their products also receive security alerts before the vulnerabilities are disclosed publicly.”

“Bluetooth is at the epicentre of smart connectivity, but it isn’t always plain sailing as many could fall into traps without even realising there could be any exploits looming,” Jake Moore, ESET UK cybersecurity expert, told The Register.

“Many of us simply connect to devices assuming Bluetooth, or wireless connectivity in general, is an effortless and secure way to link devices but software vulnerabilities can lead to problems such as eavesdropping, denial of service, or even malware.

“Unpatched security holes could potentially create havoc with a Bluetooth device and updates often go amiss in the updating process around the home or office. Luckily, Bluetooth attacks require the malicious actor to be just a few feet away which is rather uncommon compared to other more sophisticated remote attacks which often create more destruction.

“Although difficult when so much is connected via wireless connectivity, it could be worth switching off Bluetooth when not in use on such devices.” ®