Renesas is aware of a Bluetooth® Low Energy vulnerability named SweynTooth. This is published as a white paper by the Singapore University of Technology and Design. The white paper and a tool to reproduce this are available at the following link: https://asset-group.github.io/disclosures/sweyntooth/.
The tool simulates a malicious attack and categorizes the level of vulnerability in the Bluetooth ICs. Renesas Bluetooth devices were included in the investigation and found to be vulnerable to attacks that could force products to reset.
Renesas is taking action to provide solutions to our customers. Below is a list of several Renesas Bluetooth Low Energy devices describing how these are affected by the Sweyntooth vulnerabilities.
The vulnerabilities affecting these devices do not let the attacker inject code into memory to bypass the available Bluetooth security mechanism.
For any inquiries, please contact your Renesas sales representative.
The table below will be updated as the situation develops.
Device | SDK | Vulnerability | Resolution | Status/Plan |
---|---|---|---|---|
DA14580/DA14581/DA14583 | SDK3.0.x | CVE-2019-17517 | Hotfix release. Contact your Renesas sales representative. | March 20, 2020 |
SDK5.0.4 | CVE-2019-17517 | Hotfix release available on-line | May 25, 2022 | |
DA14585/DA14586 | SDK6.0.12 | CVE-2019-17517 | Hotfix release available on-line | March 6, 2020 |
SDK6.0.14 | CVE-2019-17517 | New SDK release | April 2020 | |
DA14680/DA14681/DA14682/DA14683 | SDK1.0.14 | CVE-2019-17518 | Hotfix release available on-line | May 25, 2022 |
DA1469x | SDK10.0.4 | CVE-2019-17518 | Upgrade to newer SDK | — |
SDK10.0.6 | Not affected | — | — | |
SDK10.0.8 | Not affected | — | — | |
DA14531 | SDK6.0.12 | Not affected | — | — |