TI PSIRT ID
TI-PSIRT-2018-060007
Affected Products
The issue is only potentially
present:
- When the attacker is in close
physical proximity to the Bluetooth product; and
- When scanning is used (e.g.
observer role or central role that performs scanning); and
- In the following TI
device/software combinations:
- CC2640 (non-R2) with
BLE-STACK version 2.2.1 or an earlier version; or
- CC2650 with BLE-STACK
version 2.2.1 or an earlier version; or
- CC2640R2F with SimpleLink
CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0); or
- CC1350 with SimpleLink
CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or an earlier
version.
The following have been identified as
not affected by this potential vulnerability:
- Use of the OAD feature with
appropriate system-level security measures in place
- Automotive Qualified
CC2640R2F-Q1
- CC2540/CC2541 devices on any
BLE-STACK version
- CC2640R2 SDK version 1.30.00.25
or greater or CC1352/CC26x2 on any supported SDK version
- CC2640 or CC2650 on any supported
BLE-STACK SDK version 2.2.2
- Any device configuration that
doesn’t perform BLE scanning (e.g., peripheral role or advertiser role)
- Dual-Mode Bluetooth Controllers:
CC2564x, WL18xx, WL12xx, BL6450x, and NL55xx families
Suggested
Mitigations
The following updates have been
released and are publically available to customers:
Customers using these devices,
software, and scanning mode combinations should determine whether their application
is affected based on how it is being used, and whether software updates are possible
within their end application.The level of action needed will likely vary depending
on the use-case of each end-product.