CC254x OAD: AES CTR Crypto Implementation Vulnerability

1 Summary

In the CC254x OAD solution:

aesCrypt function in EBL/app/sbl_exec.c is used to encrypt the OAD image (64 bytes of data at a time)
imgCrypt function in BEM/app/bem_main.c is used to decrypt the OAD image

AES-CTR cryptographic function is used in both the encryption functions above. The cryptographic function implementation resets the AES-CTR counter to its initial value every 4 AES blocks (64-bytes), resulting in keystream repetition every 64-bytes. This vulnerability can potentially be used to decrypt a firmware image without having to recover the AES key.

2 Vulnerability

TI PSIRT ID

TI-PSIRT-2019-060025

CVSS Base Score

8.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

CC2540/CC2541 BLE-Stack SDK v1.5.0 and earlier

Potentially Impacted Features

The potential vulnerability can impact the OAD image encryption functionality.

Suggested Mitigations

The following service-pack release addresses the potential vulnerability:

BLE-STACK (support for CC2540/CC2541) SDK v1.5.1 at Bluetooth Low Energy software stack

Customers of affected products should apply this service-pack and consider further system-level security measures as appropriate. Customers are solely responsible for the security of their products and are encouraged to assess the possible risk of any potential security vulnerability.

Acknowledgments

We would like to thank researchers from COSIC, KU Leuven and imec for reporting this potential vulnerability to the TI Product Security Incident Response Team (PSIRT) and working toward a coordinated report.

External References

Texas Instruments, Bluetooth Low Energy software stack