Report Security Issues

Responsible Disclosure Policy

Purpose 

In u-blox, the safety and security of our customers and users has always been a top priority. We are dedicated to improving our products continuously, focusing on changing market needs, technologic breakthrough, as well as evolving threat surface and new attack vectors. This Responsible Disclosure Policy is in place to identify new vulnerabilities and security issues in the relevant hardware, software or services provided by u-blox (“u-blox Products”) and to address them in a timely manner. 

Scope 

You can use this platform to report a vulnerability/security issue in any u‑blox Product, excluding end-of-life u‑blox products/services. 

Reporting a vulnerability in a good faith and by academical/private research is possible through our Responsible Disclosure Policy and is not going to be penalized. Targeted, malicious or persistent attacks, however, are strictly forbidden and will be reported to the relevant authorities in accordance with the relevant laws. 

How to report

If you are an existing u-blox customer, you can submit a vulnerability/security issue report creating a support ticket in u-blox support portal.

In other cases, please contact us at security@u-blox.com

PGP public key and fingerprint: 32E0 747F D030 5791 38E6 CEF3 89BC C8BB 5E57 CB85

Secure communication 

Do not send us any issue information in the initial email. Instead, send us the following information: 

  • Your contact details 
  • Preferred form of secure communication (e.g. PGP or S/MIME) 

Reporting the issue 

After we have established the secure communication, please send us the following information to be able to address the issue: 

  • u-blox Product(s) affected, including version numbers; 
  • Vulnerability/security issue type, e.g. spoofing, tampering, remote code execution, information disclosure, denial of service, elevation of privilege; 
  • When and how did you learn about the vulnerability/security issue? 
  • Steps to reproduce the vulnerability/security issue including technical details; 
  • Supporting evidence, e.g. logs, screenshots, pictures, exploit code. 

Please include only information necessary for u-blox to analyze the vulnerability/security issue properly, i.e. do not submit any personal or sensitive personal information. All your personal data will be processed in accordance with u-blox’s Privacy Policy

Follow-up actions 

u-blox will assess each submission received. After your message, the following actions will be undertaken: 

  • The vulnerability/security issue will be prioritized analyzing the potential impact and exposure; 
  • We will confirm to you that we have received your report by an assigned security representative; 
  • We might request additional information from you as needed to investigate and resolve the issue; 
  • According to the nature of the vulnerability/security issue, we will fix and notify you, our customers and/or regulatory authorities, or take other actions as necessary. 

To prevent exploitation of reported vulnerabilities/security issues before workarounds or fixes are available, we kindly ask you to refrain from disclosing the vulnerability/security issue until u-blox allows you to do so. 

There is currently no fixed reward (“bug bounty program”) in place. u-blox may decide to recognize your efforts in the Acknowledgements below. Please also note that as to your contribution made the terms and conditions for the u-blox website apply, and u-blox will thus be able to use any information provided in any commercial context. 

Acknowledgements 

We would like to thank all individuals and companies who have reported security issues in u-blox infrastructure or Products. 

2021

Talha Saleem   
Individual   

 

2020 

Ronak NaharAishwarya KendleAli RazzaqMohammed Adam
IndividualIndividualIndividualIndividual

 

Usama AbidAvi ChakravartiBadal SardharaMerbin Russel
IndividualIndividualIndividualIndividual

Disclosures 

We continuously monitor and investigate reported security issues. In this section, we publish confirmed security vulnerabilities related to u-blox Products. 

Vulnerability Affected Product(s)Recommendations 

Frame Aggregation vulnerability (FRAG)

EMMY-W1 series,
ELLA-W1 series,
JODY-W1 series,
JODY-W2 series,
LILY-W1 series,
NINA-W10 series,
NINA-W13 series,
NINA-W15 series,
ODIN-W2 series

Please refer to the information note. A new firmware is now available for a some of the affected products. u-blox teams are working on the further releases.

Spectra coexistence vulnerability

JODY-W1 series

Please refer to the information note. A new firmware is now available that patches the issue. 
CVE-2019-16336, CVE-2019-17519, CVE-2019-17517, CVE-2019-17518, CVE-2019-17520, CVE-2019-19195, CVE-2019-19196, CVE-2019-17061, CVE-2019-17060, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194 (Sweyntooth)

JODY-W1,
JODY-W2,
R41Z,
EMMY-W1

Please refer to the information note. A new firmware is now available that patches the issue. 

Fault injection vulnerability in nRF52 chips

ANNA-B1 series,
BMD-3x series,
NINA-B1 series,
NINA-B3 series,
NINA-B4 series

Please refer to the design considerations and product recommendations in the information note.
CVE-2019-15126 (Kr00k)JODY-W1 seriesPlease refer to the information note. A new firmware is now available that patches the issue. 
CVE-2019-9506 (KNOB)

NINA-B2 series, 
NINA-W13 series,
NINA-W15 series,
ODIN-W2 series,
JODY-W1 series,
EMMY-W1 series

Please refer to the product documentation available here:
u-connect Express Application Note Appendix A
EMMY-W1 Release Notes
JODY-W1 Release Notes