Millions of Bluetooth-enabled devices vulnerable
A collection of vulnerabilities has been identified in Bluetooth stacks, allowing an attacker to execute arbitrary commands leading to denial-of-service (DoS) attacks that can crash the devices.
These 16 vulnerabilities were identified by the specialists at the ASSET Research Group at the Singapore University of Technology and Design (SUTD). They are tracked as BrakTooth and are spread across 13 Bluetooth chipsets from vendors, including Intel, Qualcomm, Zhuhai Jieli Technology, and Texas Instruments. Thus involving around 1,400 commercial products comprising of laptops, smartphones, PLCs, and IoT devices.
The researchers also noted that all the vulnerabilities could be activated without any prior authentication. They categorized the impacts of these into crashes and deadlocks. Crashes refer to the triggering of a fatal assertion, segmentation faults because of buffer or heap overflow within the SoC firmware. Deadlocks, on the other hand, refer to a condition where no further BT communication is possible by the target device.
Among the vulnerabilities, the most severe is CVE-2021-28139. This impacts the ESP32 SoC used in bluetooth appliances due to lack of an out-of-bounds check in the library. It includes everything from consumer electronics to industrial equipment. The flaw allows an adversary to inject arbitrary code on infected devices, also leading to erasing its NVRAM data.
The other flaws can disable Bluetooth functionality through arbitrary code execution or DoS condition in devices with Intel AX200 SoCs. Another set of vulnerabilities found in Bluetooth speakers, headphones, and audio modules can be used by the attacker to freeze or shut down the devices. This will then require the users to turn them back on manually. What is more worrisome is that all the identified attacks can easily be carried out with a Bluetooth packet sniffer that doesn’t even cost much.
Espressif, Infineon (Cypress), and Bluetrum Technology have taken measures to remediate the issue by releasing firmware patches. Other vendors, including Intel, Qualcomm, and Zhuhai Jieli Technology, are in the process of investigating and rectifying the flaws. Texas Instruments said it would release a fix when customers demand it.
The ASSET group has released a proof-of-concept (PoC) tool for vendors to validate against the Braktooth attacks by replicating the vulnerabilities.