A handful of new vulnerabilities have been exposed in commercial Bluetooth packets that could allow an adversary to execute arbitrary code and, worse yet, lock devices with Denial of Service (DoS) attacks.
collectively referred to as broken teeth (Referring to the Norwegian word Brak, which translates to crash), the 16 vulnerabilities cover 13 Bluetooth chipsets from 11 vendors such as Intel, Qualcomm, Zhuhai Jieli Technology and Texas Instruments, covering about 1,400 or more products. Laptops, smartphones, PLCs, and IoT devices.
The vulnerabilities were detected by researchers from The ASSET (Automated Systems Security) Research Group at the Singapore University of Technology and Design (SUTD).
“All vulnerabilities can be activated without any pairing or prior authentication. The impact of our discovered vulnerabilities is categorized into (1) failures and (2) deadlocks. Failures generally result in fatal assertions, hash failures due to a buffer overflow or The stack is inside the SoC firmware.In contrast, hardware interlocks lead the target device to a state where no other BT connection is possible. The researchers said.
The most serious of the 16 vulnerabilities is CVE-2021-28139, which affects the ESP32 SoC used in many Bluetooth-based devices ranging from consumer electronics to industrial equipment. Because there is no out-of-bounds screening in the library, The flaw allows an attacker to inject arbitrary code into vulnerable devices, including erasing NVRAM data.
Other vulnerabilities could completely disable Bluetooth functionality by executing arbitrary code, or cause a denial of service on laptops and smartphones that use the Intel AX200 SoC.
This vulnerability allows an attacker to disconnect BT devices currently connected to the AX200 on Windows or Linux laptops. Similarly, Android phones like Pocophone F1 and Oppo Reno 5G are experiencing BT outages,” The researchers added.
In addition, a third set of flaws discovered in Bluetooth speakers, headphones, and audio modules can be abused to completely freeze and shut down devices, requiring users to manually restart them. Alarmingly, all of the BrakTooth attacks mentioned above can be carried out using a readily available Bluetooth packet tracker that costs less than $15.
Although Espressif, Infineon (Cypress) and Bluetrum Technology have released firmware patches to correct identified vulnerabilities, Intel, Qualcomm and Zhuhai Jieli Technology are said to be investigating the vulnerabilities or in the process of preparing security updates. On the other hand, Texas Instruments does not intend to release a solution unless Required by clients.
The ASSET group has also made a file . available test tool (PoC), which can be used by vendors that produce Bluetooth systems, modules, and products to replicate vulnerabilities and verify BrakTooth attacks.
“Unapologetic pop culture trailblazer. Freelance troublemaker. Food guru. Alcohol fanatic. Gamer. Explorer. Thinker.”