Cybersecurity researchers have shared details about eight vulnerabilities in the Bluetooth Low Energy (BLE) software stack of the open source real-time Zephyr OS.
Developed under the aegis of the Linux Foundation, Zephyr started at Wind River before it was acquired by Intel and eventually open sourced. The OS supports over 200 boards and counts the likes of Intel, Linaro, Texas Instruments, Nordic Semiconductor, Bose, Facebook, Google, and others as members, many of whom have devices that run Zephyr.
Security vendor Synopsys, who discovered the vulnerabilities, divides the flaws into three high-level categories. Some of the vulnerabilities can lead to remote code execution, while others could be exploited to grab confidential information like encryption keys.
“All the reported vulnerabilities can be triggered from within the range of Bluetooth LE. Triggering the vulnerability does not require authentication or encryption,” writes Synopsys in its advisory.
Connect to exploit
Synopsys notes that the only requirement for the exploitation of the vulnerabilities is for a Zephyr-powered device to be in advertising mode and accepting connections.
Speaking to The Register, Matias Karhumaa, senior software engineer at the Synopsys Cybersecurity Research Centre, shared that bluetooth devices like smartwatches, fitness trackers, and medical devices like continuous glucose monitoring sensors operate in the advertising mode to facilitate external devices to connect to them.
Just last month, researchers at the French National Agency for the Security of Information Systems (ANSSI) identified a number of vulnerabilities in two critical Bluetooth services that could’ve been exploited to allow attackers to hijack a pairing request in order to conduct Man-in-the-Middle (MitM) attacks.
When questioned about the exploitability of the Zephyr Bluetooth vulnerabilities, Karhumaa shared that he believes businesses shouldn’t spend time trying to figure out whether a vulnerability is exploitable in the real-world, and rather work “to make it easy to identify, reproduce, and resolve the bugs regardless of their exploitability.”
According to Synopsys’ advisory, the vulnerabilities were shared with Zephyr back in March 2021, who started fixing them immediately, culminating with the Zephyr 2.6.0 release earlier in June with patches for all the reported vulnerabilities.