Only the above Zebra devices are impacted by CVE-2018-16986 only and CVE-2018-7080 does not apply since the OAD feature in the Texas Instruments’ (TI) CC2640 BLE chip is disabled. The Zebra devices have an STMicroelectronics Microcontroller Unit (MCU) and BLE chip CC2640. The MCU firmware is written on CYPRESS WICED SDK. The firmware of the TI CC2640 is based on TI’s BLE SDK 2.1. The MCU connects to the CC2640 via a UART port. The MCU sends BLE HCI commands to the CC2640, the CC2640 does the BLE scanning continuously, and the CC2640 returns the scanned BLE packets in a predefined format to MCU.
During the scanning process, there is possible memory corruption in the CC2640 per CVE-2018-16986. If the CC2640 is exploited, it may send garbage data over the UART port to the MCU. The MCU may or may not discard the data, depending on the data itself. In this manner, the badge could become useless as there is no valid BLE packet data to collect inside the MCU.
If an attacker wants to gain full control of the device the attacker needs to first gain control of the MCU. The attacker would need to find an enabling vulnerability in WICED SDK and the STM MCU as well. The hacker would then need to attack the MCU through the exploited CC2640 chip via the UART port. The possibility of exploiting the MCU (achieved in conjunction with the exploitation of undiscovered vulnerabilities in both the Wicked SDK and the STM MCU) to gain full control over the device is relatively low.
To avoid the potential of this vulnerability, Zebra must port the CC2640 firmware code to the TI BLE SDK 2.2.2. For new device this updated CC2640 firmware code can be used. For deployed devices the updated CC2640 firmware can be updated over-the-air through the MCU where the MCU pushes the new firmware to CC2640 via UART port.