White-hat hackers have disclosed a bunch of security vulnerabilities, dubbed BrakTooth, affecting commercial Bluetooth devices – and are raising red flags about some vendors’ unwillingness to patch the flaws.
“Today we released BrakTooth,” said the ASSET (Automated Systems Security) Research Group at the Singapore University of Technology and Design, “a family of 16 new security vulnerabilities (20+ CVEs) in commercial Bluetooth Classic (BR/EDR) stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE).”
The team added: “BrakTooth affects major system-on-chip (SoC) vendors such as Intel, Qualcomm, Texas Instruments, Infineon (Cypress), Silicon Labs, among others.”
Representing an estimated 1,400 or more commercial products, including Microsoft’s Surface Pro 7, Surface Laptop 3, Surface Book 3, and Surface Go 2 and the Volvo FH infotainment system, the BrakTooth vulnerabilities are claimed to expose “fundamental attack vectors in the closed BT [Bluetooth] stack.” It’s not the first time the same team has made such claims, either: ASSET was also responsible for disclosing the SweynTooth vulnerabilities in February last year.
Unpatched chips are still appearing in brand-new products around the world
While all 16 vulnerabilities have been reported to vendors, the responses received vary considerably. Espressif, whose popular ESP32 microcontroller family was affected, was one of the first to release a patch closing the holes, along with Bluetrum Technology and Infineon. Intel, Actions, and Zhuhai Jieli Technology have confirmed they are either investigating the flaws or actively developing patches.
Harman International and SiLabs, by contrast, “hardly communicated with the team,” the researchers claimed, “and the status of their investigation is unclear at best.”
Worse news came from Texas Instruments and Qualcomm, however: the former stated outright that it will not produce a patch for the flaws unless “demanded by customers,” while the latter is patching only one of its affected parts – despite the unpatched chips still appearing in brand-new products around the world.
Exactly what the unpatched vulnerabilities will let an attacker do varies from device to device, but none of the possibilities are good.
The team has shown off arbitrary code execution on an ESP32 microcontroller, commonly found in Internet of Things (IoT) devices which are rarely if ever updated by their manufacturers, denial of service attacks against laptops and smartphones with the Intel AX200 and Qualcomm WCN3390 chips, and the ability to freeze or shut down headphones and other Bluetooth audio devices.
One might want to be more aware of one’s surroundings when using Bluetooth
To assist vendors in fixing the flaws, the ASSET team has written a proof-of-concept attack tool – but to delay the inevitable has stated that it will be available only to those willing to supply “certain basic information (job role, organisation, and valid email)” proving the legitimacy of their interest.
“How should everyone handle the usage of Bluetooth devices, especially if the devices used are affected by BrakTooth? As a start,” Yee Ching Tok, handler at the Internet Storm Center (ISC), wrote in an analysis of the disclosure, “one might want to be more aware of one’s surroundings when using Bluetooth.
“Since BrakTooth is based on the Bluetooth Classic protocol, an adversary would have to be in the radio range of the target to execute the attacks. As such, secured facilities should have a lower risk as compared to public areas (assuming no insiders within secured facilities). Having said that, this could also be a difficult task if an adversary manages to conceal the equipment well, though that would affect the range of Bluetooth connectivity.”
Full technical details are available on the BrakTooth website. Qualcomm and Texas Instruments were approached for comment on their decisions to leave devices unpatched, but had not responded in time for publication. ®