This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

BLE-STACK Heap Overflow Issue

Other Parts Discussed in Thread: BLE-STACK, CC2640, CC2650, CC2640R2F, CC1350, CC2640R2F-Q1, CC2541, CC2540

TI is aware that Armis has reported potential security vulnerabilities with certain older versions of the BLE-STACK. Armis has also incorrectly indicated a chip-level issue with the over-the-air download (OAD) Profile feature. While we believe many aspects of this potential vulnerability are misrepresented, we want you to have the facts and resources available to you to help you make decisions about securing your applications.

  • What was found
    • Prior to being contacted by Armis, TI identified a potential stability issue with certain older versions of the BLE-STACK when used in a scanning mode, and we addressed this issue with software updates earlier this year. As we’ve shared with Armis, we believe the potential security vulnerability identified by Armis was addressed with previous software updates. If you have not already updated your software with the latest versions available, we encourage you to do so. See mitigations below.
    • Additionally, the over-the-air firmware download (OAD) Profile feature mentioned in Armis’ report as it relates to the TI BLE devices is not intended or marketed to be a comprehensive security solution, as noted on Plainly, the vulnerability mentioned in Armis’ report is a system-level – not chip-level – issue. We encourage you to use security-enabled features when designing security-related systems.

  • What could be affected
    • The issue is only potentially present:
      • When the attacker is in close physical proximity to the Bluetooth product; and
      • When scanning is used (e.g. observer role or central role that performs scanning); and
      • In the following TI device/software combinations:
        • CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version; or
        • CC2650 with BLE-STACK version 2.2.1 or an earlier version; or
        • CC2640R2F with SimpleLink CC2640R2 SDK version (BLE-STACK 3.0.0); or
        • CC1350 with SimpleLink CC13x0 SDK version (BLE-STACK 2.3.3) or an earlier version.

    • The following have been identified as not affected by this potential vulnerability:
      • Use of the OAD feature with appropriate system-level security measures in place
      • Automotive Qualified CC2640R2F-Q1
      • CC2540/CC2541 devices on any BLE-STACK version
      • CC2640R2 SDK version or greater or CC1352/CC26x2 on any supported SDK version
      • CC2640 or CC2650 on any supported BLE-STACK SDK version 2.2.2
      • Any device configuration that doesn’t perform BLE scanning (e.g., peripheral role or advertiser role)
      • Dual-Mode Bluetooth Controllers: CC2564x, WL18xx, WL12xx, BL6450x, and NL55xx families

  • Mitigation
    • The following updates have been released and are publically available to customers.
      • For CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version, or CC2650 with BLE-STACK version 2.2.1 or an earlier version, customers can update to version 2.2.2 here.
      • For CC2640R2F, customers can update to SimpleLink CC2640R2F SDK version (BLE-STACK 3.0.1) or later here.
      • For CC1350, customers can update to SimpleLink CC13x0 SDK version (BLE-STACK 2.3.4) or later here.
    • Customers using these devices, software and scanning mode combinations should determine whether their application is affected based on how it is being used, and whether software updates are possible within their end application. The level of action needed will likely vary depending on the use-case of each end-product.