A total of 16 vulnerabilities are plaguing the Bluetooth software stack of numerous SoC (system-on chip) chipsets. Called BrakTooth, the vulnerabilities affect 1,400 chipsets used in laptops, smartphones, IoT and industrial devices. If exploited, the flaws could crash and freeze exposed devices, and cloud also permit attackers to execute malicious code and perform takeover attacks.
BrakTooth Vulnerabilities Explained
BrakTootk is “a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs,” according to the official report.
The researchers evaluated 13 BT devices from 11 vendors, and discovered a total of 16 new security vulnerabilities, with 20 common vulnerability exposures already assigned and four vulnerabilities with pending CVE assignment from Intel and Qualcomm.
However, since the BT stack is shared across multiple products, the researchers believe that many other products, more than the 1400 initial entries, are exposed to these flaws. Thus, the researchers “suggest vendors producing BT system-on-chips (SoCs), BT modules or BT end products to use the BrakTooth proof-of-concept (PoC) code to validate their BT stack implementation.”
Shortly said, the recently disclosed flaws impact Bluetooth-enabled devices by continuously crashing or deadlocking them. More serious consequences, however, such as arbitrary code execution are also probable.
Out of the 16 BrakTooth issues, the most dangerous one is CVE-2021-28139, which could allow remote attackers to run their own malicious code on vulnerable devices via Bluetooth LMP packets.
More specifically, CVE-2021-28139 impacts smart and industrial devices built on Espressif Systems’ ESP32 SoC boards. However, the vulnerability could also affect many of the other 1,400 commercial products, in case the same Bluetooth software stack has been reused.
“It is important to clarify that any product employing a vulnerable Bluetooth chipset, is not necessarily insecure (nevertheless, affected due to BT connectivity being impaired). The overall security of an end-product, which has an internal chipset with firmware flaws, depends on how much the product relies on such a vulnerable chipset for its main functionality,” the report noted.
In May 2021, a team of security researchers identified another attack that endangers Bluetooth devices. The vulnerabilities are located in Bluetooth Core and Mesh Profile Specifications, and could help attackers conceal their endeavours as legitimate devices to perform man-in-the-middle attacks.
Called BIAS, or Bluetooth Impersonation AttackS, the vulnerabilities were discovered by Daniele Antonioli School of Computer and Communication Sciences EPFL, Nils Ole Tippenhauer CISPA Helmholtz Center for Information Security, and Kasper Rasmussen Department of Computer Science University of Oxford.