According to news reports, Singapore University of Technology and Design researchers have revealed a family of 20 vulnerabilities, which they collectively dubbed BrakTooth, that affect more than 1,400 products based on 13 different Bluetooth devices sold by 11 of the world’s leading vendors.
BrakTooth, a family of 20 vulnerabilities affecting Bluetooth stacks implemented on system-on-a-chip (SoC) circuits from over a dozen vendors, are affecting more than 1,400 products based on 13 different Bluetooth devices sold by 11 of the world’s leading vendors.
Singapore University of Technology and Design researchers confirmed that the security flaws were confirmed to affect a minimum of smartphones, laptops, keyboards, headphones, and other Bluetooth-enabled devices. BrakTooth can reportedly be exploited to conduct denial of service (DoS) attacks and enable arbitrary code execution (ACE) on target devices.
“We’re not going to delve into the technical details, but suffice it to say there are at least 16 different flaws affecting at least 13 different systems-on-a-chip (SoCs) or chipsets made by at least 11 different manufacturers, among them Intel, Cypress/Infineon, Harman International, Espressif, Silicon Labs and the aforementioned Qualcomm and Texas Instruments,” states the researchers.
DoS attacks can disrupt the victim’s Bluetooth connection or, in some cases, require Bluetooth connectivity to be restarted manually. ACE can be used to erase user data, disable wireless connectivity, or interact with other devices. Researchers state that all the vulnerabilities can be triggered without any previous pairing or authentication.
BrakTooth only enables ACE on the ESP32 system on chip (SoC) made by Espressif Systems. The bad news: The ESP32 is commonly found in Internet of Things (IoT) devices as well as industrial systems. The SoC is so common that the researchers’ proof of concept exploit actually uses an ESP32 development kit to conduct attacks on target devices.
The researchers said they disclosed BrakTooth to all of the affected vendors. Some companies have already released firmware patches to address the vulnerability, others are investigating the issue, and a few have said they don’t plan to fix the flaw
The researchers said they don’t plan to publicly release the full proof of concept exploit until the end of October 2021 because that’s when Intel is supposed to patch its devices. They did, however, release instructions for “a low-cost BT Classic (BR/EDR) Active Sniffer” that will use the proof of concept exploit when it’s released.
The flaws affect “classic” Bluetooth, i.e. Bluetooth versions 1.0 through 3.0. They do not affect Bluetooth Low Energy (BLE), also called Bluetooth 4.0 through 5.2, which is fundamentally different. However, almost all BLE-compatible devices are compatible with earlier forms of Bluetooth, rendering the devices vulnerable.
Meanwhile, in a related report Texas Instruments claims that it “has successfully replicated the security issue, but will consider producing a patch only if demanded by customers.”
Qualcomm is fixing one flaw, as noted above, but the situation is more complicated with another flaw. It’s already been fixed on the most recent version of one chipset, but Qualcomm “has no plan” to fix it on older versions, and the flaw can’t be fixed on another chipset due to insufficient memory space.
