A established of new security vulnerabilities has been disclosed in commercial Bluetooth stacks that could empower an adversary to execute arbitrary code and, worse, crash the units by means of denial-of-support (DoS) attacks.
Collectively dubbed “BrakTooth” (referring to the Norwegian term “Brak” which interprets to “crash”), the 16 security weaknesses span throughout 13 Bluetooth chipsets from 11 sellers these types of as Intel, Qualcomm, Zhuhai Jieli Technology, and Texas Devices, covering an believed 1,400 or much more business items, like laptops, smartphones, programmable logic controllers, and IoT products.
The flaws ended up disclosed by scientists from the ASSET (Automatic Units SEcuriTy) Investigate Group at the Singapore College of Technology and Style (SUTD).
“All the vulnerabilities […] can be triggered without having any previous pairing or authentication,” the researchers mentioned. “The affect of our identified vulnerabilities is classified into (I) crashes and (II) deadlocks. Crashes commonly cause a lethal assertion, segmentation faults due to a buffer or heap overflow in the SoC firmware. Deadlocks, in contrast, guide the concentrate on gadget to a problem in which no even further BT communication is doable.”
The most critical of the 16 bugs is CVE-2021-28139, which has an effect on the ESP32 SoC used in lots of Bluetooth-based mostly appliances ranging from client electronics to industrial devices. Arising thanks to a lack of an out-of-bounds test in the library, the flaw enables an attacker to inject arbitrary code on vulnerable products, which includes erasing its NVRAM knowledge.
Other vulnerabilities could result in the Bluetooth operation having totally disabled by way of arbitrary code execution, or cause a denial-of-service problem in laptops and smartphones employing Intel AX200 SoCs. “This vulnerability permits an attacker to forcibly disconnect slave BT products presently linked to AX200 beneath Windows or Linux Laptops,” the researchers stated. “Equally, Android telephones this sort of as Pocophone F1 and Oppo Reno 5G experience BT disruptions.”
A past selection of flaws learned in Bluetooth speakers, headphones, and audio modules could be abused to freeze and even entirely shut down the products, necessitating the consumers to manually transform them back on. Troublingly, all the aforementioned BrakTooth attacks could be carried out with a quickly offered Bluetooth packet sniffer that prices considerably less than $15.
Even though Espressif, Infineon (Cypress), and Bluetrum Technology have produced firmware patches to rectify the discovered vulnerabilities, Intel, Qualcomm, and Zhuhai Jieli Technology are said to be investigating the flaws or in the approach of readying security updates. Texas Devices, on the other hand, will not intend to launch a resolve except if “demanded by buyers.”
The ASSET team has also made accessible a evidence-of-concept (PoC) device that can be utilised by suppliers making Bluetooth SoCs, modules, and products and solutions to replicate the vulnerabilities and validate against BrakTooth attacks.
Found this posting attention-grabbing? Stick to THN on Facebook, Twitter and LinkedIn to go through additional exclusive content we write-up.
Some pieces of this report are sourced from: