A set of new security flaws has been disclosed that could allow an attacker to execute arbitrary code, perform denial-of-service (DoS) attacks, and crash commercial Bluetooth devices.
The 16 security weaknesses were dubbed as “BrakTooth” by researchers from the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD). They are mainly related to Bluetooth chipsets. They affect almost 1,400 devices globally from 11 vendors such as Intel, Qualcomm, Zhuhai Jieli Technology, and Texas Instruments.
“All the vulnerabilities […] can be triggered without any previous pairing or authentication,” the researchers noted. “The impact of our discovered vulnerabilities is categorized into (I) crashes and (II) deadlocks. Crashes generally trigger a fatal assertion, segmentation faults due to a buffer or heap overflow within the SoC firmware. Deadlocks, in contrast, lead the target device to a condition in which no further BT communication is possible.”
The most notable issue is the ESP32 bug (CVE-2021-28139), which affects the popular Bluetooth-based SoC, such as consumer electronics and industrial equipment. This issue stems from the lack of an out-of-bounds check and can allow an attacker to inject arbitrary code on vulnerable devices.
The second set of security issues could allow an attacker to execute arbitrary code in a wide range of devices, which could result in Bluetooth functionality getting disabled. They affect a wide range of laptops and smartphones with Intel AX200 SoCs.
“This vulnerability allows an attacker to forcibly disconnect slave BT devices currently connected to AX200 under Windows or Linux Laptops,” the researchers said. “Similarly, Android phones such as Pocophone F1 and Oppo Reno 5G experience BT disruptions.”
Another set of flaws discovered in Bluetooth devices could freeze or even shut down the devices.
All the BrakTooth flaws could be exploited to carry out attacks with a readily available Bluetooth packet sniffer that costs less than $15.
While several firms, including Espressif, Infineon (Cypress), and Bluetrum Technology, have issued patches, others, including Intel, Qualcomm, and Zhuhai Jieli Technology, are still investigating the bugs and are expected to release fixes in the near future. Texas Instruments, however, doesn’t plan any fixes unless “demanded by customers.”
The ASSET group has also released a proof-of-concept tool that can be used to replicate the BrakTooth attacks and validate against them.