Bluetooth technology (BT) has encountered severe scrutiny due to various design flaws and vulnerabilities. Security experts from the Singapore University of Technology and Design recently revealed a group of security vulnerabilities, tracked as BrakTooth, in the Bluetooth Classic (BR/EDR) protocol, affecting millions of Bluetooth-enabled devices. These devices are manufactured by Intel, Qualcomm, Texas Instruments, Infineon (Cypress), Zhuhai Jieli Technology, and Texas Instruments, and Silicon Labs.
After analyzing 13 BT devices from 11 vendors, the researchers found 16 security vulnerabilities, which, if successfully exploited, could allow a remote hacker to launch multiple attacks, including Denial of Service (DoS), firmware crashes, deadlocking, and Arbitrary Code Execution (ACE) on vulnerable devices.
“All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. As the BT stack is often shared across many products, many other products are probably affected by BrakTooth. Therefore, we suggest vendors producing BT system-on-chips (SoCs), BT modules, or BT end products to use the BrakTooth proof-of-concept (PoC) code to validate their BT stack implementation,” the researchers said.
Vulnerabilities Discovered
- Feature Pages Execution (CVE-2021-28139)
- Truncated SCO Link Request (CVE-2021-34144)
- Duplicated IOCAP (CVE-2021-28136)
- Feature Response Flooding (CVE-2021-28135/28155/31717)
- LMP Auto Rate Overflow (CVE-2021-31609/31612)
- LMP 2-DH1 Overflow
- LMP DM1 Overflow (CVE-2021-34150)
- Truncated LMP Accepted (CVE-2021-31613)
- Invalid Setup Complete (CVE-2021-31611)
- Host Connection Flooding (CVE-2021-31785)
- Same Host Connection (CVE-2021-31786)
- LMP AU Rand Flooding (CVE-2021-31610/34149/34146/34143)
- LMP Invalid Max Slot Type (CVE-2021-34145)
- Max Slot Length Overflow (CVE-2021-34148)
- Invalid Timing Accuracy (CVE-2021-34147)
Affected Devices
- Industrial equipment like programmable logic controllers (PLCs)
- Smartphones
- Infotainment systems
- Laptop and desktop systems
- Audio devices
- Home entertainment systems
- BT enabled keyboards and toys
How the Attack Works
Cybercriminals could exploit the BrakTooth flaw by leveraging an ESP32 development kit (ESP-WROVER-KIT) along with a custom (non-compliant) LMP firmware and a computer to run the PoC tool during their attack.
The researchers also detailed the attack scenario in a video.
“All the vulnerabilities can be triggered without any previous pairing or authentication. The impact of our discovered vulnerabilities is categorized into crashes and deadlocks. Crashes generally trigger a fatal assertion, segmentation faults due to a buffer or heap overflow within the SoC firmware. Deadlocks, in contrast, lead the target device to a condition in which no further BT communication is possible,” the researchers added.
 protocol){kind=link}