BrakTooth: security researchers reveal 16 serious Bluetooth flaws affecting billions of devices
Security researchers from the Singapore University of Technology and Design have disclosed a new family of security vulnerabilities in commercial Bluetooth stacks used in billions of devices. Collectively known as BrakTooth, the vulnerabilities pose a range of risks including remote code execution and DoS via crashes and deadlocks.
The Bluetooth stacks found to be vulnerable are used in System-on-Chip (SoC) boards from various big-name manufacturers including Qualcomm, Texas Instruments and Silicon Labs; numerous Microsoft products are also affected, including Surface Pro 7, Surface Laptop 3, Surface Book 3 and Surface Go 2.
See also:
- Microsoft crowbars ads into Windows 11 and breaks the Start menu and taskbar
- Microsoft releases PowerToys v0.45.0 with Windows 11 styling
- Microsoft releases Windows 10 KB5005101 update to fix headphone problems, monitor issues and more
The ASSET (Automated Systems Security) Research Group says that the 16 vulnerabilities include 20 CVEs as well as four which are still awaiting CVE assignment. Preliminary research shows that BrakTooth afflicts at least 1,400 individual products, but as the Bluetooth stack is often shared across many products, it is likely that this figure is actually much higher.
While a number of manufacturers have already patched the flaws in their products and others are in the process of investigating and producing fixes, this is not true of all companies. Texas Instruments, for instance, says that it "will consider producing a patch only if demanded by customers". Qualcomm has patched the flaws in some of its own affected devices, but there are some products with the vulnerability which it has no plan to patch
The researchers say:
All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. An exploration on Bluetooth listing reveals that BrakTooth affects over 1400 product listings. BrakTooth exposes fundamental attack vectors in the closed BT stack. As the BT stack is often shared across many products, it is highly probable that many other products (beyond the ≈1400 entries observed in Bluetooth listing) are affected by BrakTooth.
The impact of the vulnerability varies greatly between devices. The threat of Arbitrary Code Execution in IoT devices is one of the greatest concerns, however.
In a video, the ASSET Research Group demonstrates Arbitrary Code Execution on the ESP32 SoC:
Full details of the researchers' findings are available here.