A collection of vulnerabilities known as BrakTooth are affecting Bluetooth stacks implanted on system-on-chips (SoC) circuits from several vendors. The vulnerabilities affect various devices, including consumer electronics and industrial equipment.
The associated risks encompass everything from denial-of-service, deadlock condition of the device, and even arbitrary code execution. Researchers from the Singapore University of Technology and Design have published details about the set of flaws affecting commercial Bluetooth stacks. They assessed 13 Bluetooth devices from close to a dozen SoC vendors, including Qualcomm, Cypress, Intel, and Texas Instruments.
The researchers dug deeper to find more than 1,400 product listings affected by the BrakTooth flaws. The list includes (but isn’t limited to) the following types of devices:
- Laptops and desktop systems
- Infotainment systems
- Audio systems (speakers, headphones)
- Industrial equipment (PLCs (programmable logic controllers))
- Home entertainment sets
Since so many products are affected, it would be an accurate estimation that the BrakTooth set of flaws affects billions of devices. The researchers say that the risks include denial of service by crashing the firmware or a deadlock condition where Bluetooth communication is cut off or even execution of arbitrary code.
The attacks aren’t too complex to execute
To pull off a BrakTooth attack, a person would need an ESP32 development kit, a custom Link Manager Protocol (LMP) firmware, and a computer to run the proof-of-concept tool. Of the 16 flaws found, one is tracked as CVE-2021-28139 and presents a higher risk than others since it allows arbitrary code execution.
It affects devices with an ESP32 SoC circuit, found in many IoT appliances for industry and home automation.
The researchers demonstrate the attack in this video by changing the state of an actuator using an LMP Feature Response Extended packet.