Known Bluetooth controller vulnerabilities

BR/EDR

BLE

The lower layers of the Bluetooth standard are implemented in the controller firmware, which is updated less frequently than the host and could contain critical vulnerabilities.

Identifying known vulnerabilities is a fundamental step in a security audit. It needs to be verified whether these vulnerabilities affect the analyzed device to avoid false positives.

Description

The enumeration of known vulnerabilities can be done by searching in vulnerability databases or in general-purpose search engines.

It important to verify the applicability of each of the vulnerabilities found against the analyzed device.

Resources that can be useful for the identification of the driver model on the device can be found in the following table:

IDDescription
BSAM-RES-01Physical identification of the controller
BSAM-RES-02Identify controller through reports

For vulnerability enumeration the following resources may be of interest:

IDDescription
BSAM-RES-03Vulnerability database search

Example case

For an ESP32 Bluetooth controller, the following results have been identified in different search engines:

Known vulnerabilities should be validated and classified to assess which ones affect and which ones are not applicable to our device.