Cypress PSoC4 Bluetooth Low Energy Authentication Bypass Vulnerability

A vulnerability in the Bluetooth Low Energy (BLE) stack of Cypress PSoC4 BLE SDK v3.66 allows attackers to bypass the pairing process and authentication. This is achieved by sending a crafted 'pairing_failed' packet immediately after a pairing request, causing the device to enter an inconsistent state. As a result, attackers can initiate encryption procedures without proper authentication or key exchange.

Impact

Exploiting this vulnerability bypasses authentication controls, allows unauthorized encryption, and could lead to privilege escalation by enabling access to secure services without proper credentials.

Reproduction

To reproduce this vulnerability, connect to a Cypress PSoC4 device running BLE SDK v3.66. Begin a pairing process and inject a 'pairing_failed' packet before the pairing is completed. Afterward, send an 'LL_ENC_REQ' packet. The device will enter the encryption phase without having completed the necessary authentication.

Remediation

It is recommended to implement strict state validation checks before accepting 'LL_ENC_REQ' packets, ensure that pairing failures revert all secure session states, and discard all encryption-related requests if pairing was not successfully completed.