Request patches for firmware/kernel/bluez for BCM4339/BCM4356/BCM4343 Bluetooth to avoid Invalid Curve Attack

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
FuDu_2380051
Level 1
Level 1

Issue: Bluetooth Invalid Curve attack.

Ref:

http://www.cs.technion.ac.il/~biham/BT/

https://www.bluetooth.com/news/unknown/2018/07/bluetooth-sig-security-update

Summary

Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.

Impact

• An unauthenticated, remote attacker within range may be able to utilize a man-in-the-middle network position to determine the cryptographic keys used by the device.

• The attacker can then intercept and decrypt and/or forge and inject device messages.

• The attack exploits the vulnerability on both participating devices simultaneously. If any one of them is patched, the attack does not work

• Every Bluetooth chip manufactured by Intel, Broadcom or Qualcomm is likely affected.

• In addition, the Android Bluetooth stack (Bluedroid) is affected when using Bluetooth smart.

Potential Impact

• Potentially all products listed in this link below will be susceptible

o https://www.nxp.com/products/wireless-connectivity/bluetooth-low-energy-ble:BLUETOOTH-LOW-ENERGY-BLE

• Impacted vendor in the CERT CC website: Cypress/Broadcom BT modules are impacted.

Since NXP i.MX6q/dl/sl/sx/ul/7d series products use Cypress/Braodcom bcm4339/bcm4356/bcm4343 modules, now bluetooth LE is not secure, NXP request to get formal patches for firmware/kernel/bluez bluethooth to avoid Invalid Curve Attack.

0 Likes
1 Solution
MichaelF_56
Moderator
Moderator
Moderator
250 sign-ins 25 comments on blog 10 comments on blog

I will talk to the engineering team/Murata and see if we can support Murata directly on this request then have them replicate the patch we provide to them across all of their dual mode modules which leverage i.MX hosts.

View solution in original post

0 Likes
2 Replies
MichaelF_56
Moderator
Moderator
Moderator
250 sign-ins 25 comments on blog 10 comments on blog

I will talk to the engineering team/Murata and see if we can support Murata directly on this request then have them replicate the patch we provide to them across all of their dual mode modules which leverage i.MX hosts.

0 Likes

To fix the vulnerability, does it needs to apply firmware patch and host patches ?

Please talk with Murata Scott, and supply the fixes,  then Murata can update the fixed firmware on Murata github.

What is your schduler for this ? It seems the issue is serious.

Thanks for your support!

0 Likes