Skip to content

BrakTooth: 16 vulnerabilities that put billions of Bluetooth devices at risk

  • by
  • 3 min read

Security researchers at the Singapore University of Technology and Design have found over 16 vulnerabilities collectively dubbed as BrakTooth that impact Bluetooth software stacks for about 1400 popular SoC chipsets.

The researchers pointed out that they only tested Bluetooth libraries for 13 SoC chipsets from 11 vendors. Subsequent research found that the same buggy firmware has been used with more than 1400 chipsets in smartphones, laptops, industrial equipment and a range of smart home IoT devices. 

The vulnerabilities allow an attacker to freeze, crash, or execute malicious code on the target device in a worst-case scenario. The findings were published in a research paper last week after approaching all 11 vendors with the bugs. 

In the News: Pac-Resolver library exposes apps to hijacking; downloaded 3M times a week


Blue’tooth’ aching much?

The vulnerabilities impact different devices differently owing to different SoC boards and Bluetooth software stacks. The worst of all these vulnerabilities is the CVE-2021-28139, allowing attackers to execute malicious code remotely by exploiting Bluetooth LMP packets.

The vulnerability affects mostly industrial and IoT devices built on the rather popular ESP32 board by Espressif. The issue, however, will impact all 1400 products that have used the same stack in some way, shape or form.

The entire list of BrakTooth vulnerabilities as found by the research team. | Source: Asset-Group

The same Bluetooth LMP packets can be used in a less harmful but annoying way. For example, an attacker can flood devices with malformed LMP packets causing Bluetooth service on laptops or smartphones to crash. Several Qualcomm SoC, as well as laptops from Dell and Microsoft, are vulnerable to these attacks. 

Even more alarming is that all these attacks can be carried out with off the shelf Bluetooth equipment that costs less than $15. Overall, there were 16 vulnerabilities detected in 13 chipsets as follows. 


Where’s the dentist?

Despite the more than 90 day warning period before the paper was published, only Espressif, Infineon and Bluetrum have released patches for their devices. Texas Instruments flat out refused to address the flaws impacting their chipsets, and others acknowledged the findings but haven’t put out a release date for their patches yet. 

List of vendors and their respective devices impacted by BrakTooth | Source: Asset-Group

The research team has refused to put out any proof of concept code, considering the patching process is still far from complete. They have, however, set up a form where vendors can approach the team to request PoC code to test the vulnerabilities for themselves. 

In the News: Lenovo unveils IdeaPad Slim 5 Pro in India: Price and Specs

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>