A set of 16 security flaws in commercial Bluetooth stacks, collectively tracked as BrakTooth, can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.
The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.
The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.
As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.
“we disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.” reads the post published by the researchers. “All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. “
The attack scenario tested by the experts only requires a cheap ESP32 development kit (ESP-WROVER-KIT) with a custom (non-compliant) LMP firmware and a PC to run the PoC tool they developed. The tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks targeting the BDAddress (<target bdaddr>) using the specific exploit (<exploit_name>).
The researchers pointed out that all the BrakTooth vulnerabilities can be exploited by attackers without any previous pairing or authentication.
“The impact of our discovered vulnerabilities is categorized into (I) crashes and (II) deadlocks. Crashes generally trigger a fatal assertion, segmentation faults due to a buffer or heap overflow within the SoC firmware. Deadlocks, in contrast, lead the target device to a condition in which no further BT communication is possible.” continue the researchers. “This may happen due to the paging scan being forcibly disabled (V16), state machine corruption on V6 or entirely disabling BT functionality via arbitrary code execution (ACE) on V1.”
The most severe of the flaws is a Feature Pages Execution issue tracked as CVE-2021-28139, which affects the ESP32 SoC used in many Bluetooth-based devices. Attackers in radio range can trigger the issue to gain arbitrary code execution (ACE) in ESP32 via a crafted Extended Features bitfield payload.
Some vendors like Espressif, Infineon (Cypress), and Bluetrum Technology have already released firmware updates to fix the issues other manufactures, including Intel and Qualcomm, are still assessing their products.
(SecurityAffairs – hacking, BrakTooth)