Silicon Labs Bluetooth Implementations Unaffected by BlueBorne

by Administrator llooper ‎09-14-2017 09:39 AM - edited ‎09-14-2017 10:54 AM

A collection of Bluetooth vulnerabilities named “BlueBorne” has just been made public by the security research company Armis. The vulnerabilities are not in the Bluetooth standard itself, but rather in the specific implementations of the Bluetooth standard. The Silicon Labs Bluetooth implementation is different from the affected implementations. Therefore, products based on our Bluetooth software are immune to BlueBorne.

 

This has been disclosed responsibly, which means that vendors have had time to issue security patches. Therefore, please update and patch all Bluetooth-products based on Android, Windows, iOS or Linux! And if in doubt, follow best practice and update all smart products regardless of protocol and software platform.

 

 

As a note, fighting BlueBorne shows the importance of being able to software upgrade connected devices, as discussed here:

http://www.newelectronics.co.uk/electronics-technology/the-iot-requires-upgradable-security/156211/

 

References:

https://www.armis.com/blueborne/

https://www.wired.com/story/turn-off-bluetooth-security/

https://techcrunch.com/2017/09/12/new-bluetooth-vulnerability-can-hack-a-phone-in-ten-seconds/

Comments
by david_s
on ‎09-21-2017 09:45 AM

It would be good to know what backs up the claim in the post. Having a "different implementation" does not guaranty that it doesn't suffer from the same or similar issue. Blueborne is a great example of that because it shows one specific vulnerability being present in both Windows and Android stacks. And these two are completely different implementations. 

What kind of analysis and testing has been performed to justify the conclusion that SiLabs Bluetooth stack is not susceptible to this set of vulnerabilities?

by Administrator llooper
on ‎09-21-2017 11:24 AM

Hi David, thanks for the question. First, note that BlueBorne is a total of 8 vulnerabilities across many profiles and components. Only two of these are relevant for Bluetooth LE; L2CAP and SDP. The others are not supported by us in any products. For L2CAP and SDP, our architecture is completely different from the affected implementations, and we have analyzed our implementation to verify that our stack is not vulnerable to the same attacks.