- Support portal
- Evaluation Kits and partner products
u-blox Support
- Product documentation
Documentation
- About
- Sustainability
- Partners and Alliances
- Contact
About u-blox
- Investor relations
Investor relations
In u-blox, the safety and security of our customers and users has always been a top priority. We are dedicated to improving our products continuously, focusing on changing market needs, technologic breakthrough, as well as evolving threat surface and new attack vectors. This Responsible Disclosure Policy is in place to identify new vulnerabilities and security issues in the relevant hardware, software or services provided by u-blox (“u-blox Products”) and to address them in a timely manner.
You can use this platform to report a vulnerability/security issue in any u‑blox Product, excluding end-of-life u‑blox products/services. In addition, u-blox is running an in-invite only bug-bounty program for certain u-blox services, that is operated in partnership with BugCrowd, for which you can apply (u-blox Bug Bounty Program on Bugcrowd).
Reporting a vulnerability in a good faith and by academical/private research is possible through our Responsible Disclosure Policy and is not going to be penalized. Targeted, malicious or persistent attacks, however, are strictly forbidden and will be reported to the relevant authorities in accordance with the relevant laws.
How to report
If you are an existing u-blox customer, you can submit a vulnerability/security issue report creating a support ticket in u-blox support portal.
In case you participate in the bug bounty program, please report your findings through Bugcrowd platform. In other cases, please contact us at security@u-blox.com.
When reporting a security issue through email, do not send us any issue information in the initial message. Instead, send us the following information:
PGP public key and fingerprint: 6605 81FD 1F29 FB7A EEB4 F72E FA86 5A68 CF51 92F
After we have established the secure communication, please send us the following information to be able to address the issue:
Please include only information necessary for u-blox to analyze the vulnerability/security issue properly, i.e. do not submit any personal or sensitive personal information. All your personal data will be processed in accordance with u-blox ’s Privacy Policy.
u-blox will assess each submission received. After your message, the following actions will be undertaken:
To prevent exploitation of reported vulnerabilities/security issues before workarounds or fixes are available, we kindly ask you to refrain from disclosing the vulnerability/security issue until u-blox allows you to do so.
To recognize your contributions aside from payouts through the invite-only bug bounty program, we may, upon your authorization, thank you through an entry in the Acknowledgements section below. Please also note that as to your contribution made the terms and conditions for the u-blox website apply, and u-blox will thus be able to use any information provided in any commercial context.
We would like to thank all individuals and companies who have reported security issues in u-blox infrastructure or Products.
2023
Harinder Singh (S1N6H) |
2022
Shrirang Diwakar |
2021
Talha Saleem | |||
Individual |
2020
Ronak Nahar | Aishwarya Kendle | Ali Razzaq | Mohammed Adam |
Individual | Individual | Individual | Individual |
Usama Abid | Avi Chakravarti | Badal Sardhara | Merbin Russel |
Individual | Individual | Individual | Individual |
We continuously monitor and investigate reported security issues. In this section, we publish confirmed security vulnerabilities related to u-blox Products.
Vulnerability | Affected Product(s) | Recommendations |
Frame Aggregation vulnerability (FRAG) |
EMMY-W1 series, |
Please refer to the information note. A new firmware is now available for a some of the affected products. u-blox teams are working on the further releases. |
Spectra coexistence vulnerability |
JODY-W1 series | Please refer to the information note. A new firmware is now available that patches the issue. |
CVE-2019-16336, CVE-2019-17519, CVE-2019-17517, CVE-2019-17518, CVE-2019-17520, CVE-2019-19195, CVE-2019-19196, CVE-2019-17061, CVE-2019-17060, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194 (Sweyntooth) |
JODY-W1, |
Please refer to the information note. A new firmware is now available that patches the issue. |
Fault injection vulnerability in nRF52 chips |
ANNA-B1 series, | Please refer to the design considerations and product recommendations in the information note. |
CVE-2019-15126 (Kr00k) | JODY-W1 series | Please refer to the information note. A new firmware is now available that patches the issue. |
CVE-2019-9506 (KNOB) |
NINA-B2 series, |
Please refer to the product documentation available here: |
Bluethooth Pairing mode confusion | All Bluetooth products | Please follow the recommendations from BT-SIG as mentioned below (LE, BR/EDR) |
Command Execution through Serial Interface of u-blox TOBY-L2 |
TOBY-L200 TOBY-L201 TOBY-L210 TOBY-L220 TOBY-L280 |
A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands. This vulnerability requires physical access to the serial interface of the module or the ability to modify the system or software which uses its serial interface to send malicious AT commands.
Customers should ensures that the TOBY-L2 serial port is available only to internal applications of the device and that the application only allows the use of verified AT commands. For product specific security patches, contact u-blox through customer support portal. |