A set of new stability vulnerabilities has been disclosed in professional Bluetooth stacks that could help an adversary to execute arbitrary code and, worse, crash the devices through denial-of-support (DoS) assaults.
Collectively dubbed “BrakTooth” (referring to the Norwegian term “Brak” which interprets to “crash”), the 16 security weaknesses span throughout 13 Bluetooth chipsets from 11 vendors these as Intel, Qualcomm, Zhuhai Jieli Technology, and Texas Instruments, covering an believed 1,400 or a lot more industrial goods, which include laptops, smartphones, programmable logic controllers, and IoT devices.
The flaws were disclosed by scientists from the ASSET (Automated Systems Safety) Analysis Group at the Singapore University of Technologies and Design (SUTD).
“All the vulnerabilities […] can be triggered without having any prior pairing or authentication,” the scientists pointed out. “The impression of our identified vulnerabilities is classified into (I) crashes and (II) deadlocks. Crashes generally cause a deadly assertion, segmentation faults thanks to a buffer or heap overflow inside of the SoC firmware. Deadlocks, in distinction, lead the target gadget to a issue in which no more BT communication is doable.”
The most significant of the 16 bugs is CVE-2021-28139, which influences the ESP32 SoC utilized in a lot of Bluetooth-centered appliances ranging from client electronics to industrial devices. Arising due to a deficiency of an out-of-bounds test in the library, the flaw allows an attacker to inject arbitrary code on vulnerable devices, together with erasing its NVRAM data.
Other vulnerabilities could final result in the Bluetooth performance finding solely disabled by means of arbitrary code execution, or result in a denial-of-assistance condition in laptops and smartphones employing Intel AX200 SoCs. “This vulnerability will allow an attacker to forcibly disconnect slave BT devices at the moment linked to AX200 beneath Home windows or Linux Laptops,” the researchers said. “Likewise, Android phones these kinds of as Pocophone F1 and Oppo Reno 5G expertise BT disruptions.”
A last collection of flaws uncovered in Bluetooth speakers, headphones, and audio modules could be abused to freeze and even absolutely shut down the devices, demanding the users to manually flip them again on. Troublingly, all the aforementioned BrakTooth attacks could be carried out with a readily obtainable Bluetooth packet sniffer that expenditures less than $15.
While Espressif, Infineon (Cypress), and Bluetrum Technology have produced firmware patches to rectify the identified vulnerabilities, Intel, Qualcomm, and Zhuhai Jieli Engineering are claimed to be investigating the flaws or in the method of readying security updates. Texas Instruments, having said that, would not intend to launch a take care of unless of course “demanded by customers.”
The ASSET team has also manufactured accessible a evidence-of-idea (PoC) tool that can be made use of by distributors producing Bluetooth SoCs, modules, and products to replicate the vulnerabilities and validate towards BrakTooth attacks.