Security researchers at the Singapore University of Technology and Design have found over 16 vulnerabilities collectively dubbed as BrakTooth that impact Bluetooth software stacks for about 1400 popular SoC chipsets.
The researchers pointed out that they only tested Bluetooth libraries for 13 SoC chipsets from 11 vendors. Subsequent research found that the same buggy firmware has been used with more than 1400 chipsets in smartphones, laptops, industrial equipment and a range of smart home IoT devices.
The vulnerabilities allow an attacker to freeze, crash, or execute malicious code on the target device in a worst-case scenario. The findings were published in a research paper last week after approaching all 11 vendors with the bugs.
Blue’tooth’ aching much?
The vulnerabilities impact different devices differently owing to different SoC boards and Bluetooth software stacks. The worst of all these vulnerabilities is the CVE-2021-28139, allowing attackers to execute malicious code remotely by exploiting Bluetooth LMP packets.
The vulnerability affects mostly industrial and IoT devices built on the rather popular ESP32 board by Espressif. The issue, however, will impact all 1400 products that have used the same stack in some way, shape or form.
The same Bluetooth LMP packets can be used in a less harmful but annoying way. For example, an attacker can flood devices with malformed LMP packets causing Bluetooth service on laptops or smartphones to crash. Several Qualcomm SoC, as well as laptops from Dell and Microsoft, are vulnerable to these attacks.
Even more alarming is that all these attacks can be carried out with off the shelf Bluetooth equipment that costs less than $15. Overall, there were 16 vulnerabilities detected in 13 chipsets as follows.
Where’s the dentist?
Despite the more than 90 day warning period before the paper was published, only Espressif, Infineon and Bluetrum have released patches for their devices. Texas Instruments flat out refused to address the flaws impacting their chipsets, and others acknowledged the findings but haven’t put out a release date for their patches yet.
The research team has refused to put out any proof of concept code, considering the patching process is still far from complete. They have, however, set up a form where vendors can approach the team to request PoC code to test the vulnerabilities for themselves.