CVE-2022-46403: Deviating Behaviors in Different Bluetooth Low Energy Implementations

Research conducted by Purdue University and Pennsylvania State University have uncovered five security vulnerabilities in the Bluetooth® Low Energy peripheral implementations in various devices that affect Microchip Bluetooth products. The associated paper has been accepted for publication at the 44th IEEE® Symposium on Security and Privacy, 2023.

The following is a short summary of these vulnerabilities:

1. Unresponsiveness with ConReqTimeoutZero, CVE-2022-46400: An attacker in radio range can exploit the issue to cause a surreptitious denial of service to Bluetooth. Though this attack is made via Bluetooth Low Energy, the affected smartphone turns off both Bluetooth Low Energy and Bluetooth Classic (BR/EDR) without notifying the user. To resolve this, the user must manually restart Bluetooth Low Energy and, in some cases, the smartphone too.

2. Bypassing passkey entry in legacy pairing, CVE-2022-46399: The impact of this deviation is catastrophic. With this passkey entry bypass, it is possible to do a Man in the Middle (MiTM) attack with the Bluetooth Low Energy implementation. This is worse than just a works association method attack because it might deceive users into thinking they have a high level of protection when in reality they are not protected.

3. Accepts PauseEncReqPlainText before pairing is complete, CVE-2022-46401: The Bluetooth Low Energy implementation goes to a faulty state, discards other messages from the central and creates a service issue. Devices without this vulnerability will ignore the message, will not change state and will complete the pairing and encryption procedures as expected.

4. Accepts PairCon_rmSend with wrong values, CVE-2022-46402: An attacker in radio range acting as a central can do a denial of service to the device.

5. Issue with reject messages, CVE-2022-46403: This can create a potential interoperability issue among different devices.

Note: Vulnerability #2, CVE-2022-46399, bypassing passkey entry in legacy pairing, was fixed in the latest firmware for all our Bluetooth Low Energy products. Please download the latest firmware from the product page for a selected device.