Vulnerabilities collectively known as BrakTooth are affecting Bluetooth stacks applied on system-on-a-chip (SoC) circuits from over a dozen distributors.
The set of points influence all kinds of gadgets, from shopper electronics to industrial tools. The related danger ranges from denial-of-service, impasse situation of the machine to arbitrary code execution.
Large number of merchandise impacted
Researchers from the Singapore College of Expertise and Design have revealed particulars about BrakTooth – a brand new household of safety vulnerabilities in industrial Bluetooth stacks.
They assessed 13 Bluetooth gadgets from near a dozen SoC distributors counting Intel, Qualcomm, Texas Devices, and Cypress.
|BT SoC Vendor||BT SoC||Dev. Equipment / Product||Pattern Code|
|Intel (BT 5.2)||AX200||Laptop computer Forge15-R||N.A|
|Qualcomm (BT 5.2)||WCN3990||Xioami Pocophone F1||N.A|
|Texas Devices (BT 5.1)||CC2564C||CC256XCQFN-EM||SPPDMMultiDemo|
|Zhuhai Jieli Expertise (BT 5.1)||AC6366C||AC6366C_DEMO_V1.0||app_keyboard|
|Cypress (BT 5.0)||CYW20735B1||CYW920735Q60EVB-01||rfcomm_serial_port
|Bluetrum Expertise (BT 5.0)||AB5301A||AB32VG1||Default|
|Zhuhai Jieli Expertise (BT 5.0)||AC6925C||XY-WRBT Module||N.A|
|Actions Expertise (BT 5.0)||ATS281X||Xiaomi MDZ-36-DB||N.A|
|Zhuhai Jieli Expertise (BT 4.2)||AC6905X||BT Audio Receiver||N.A|
|Espressif Programs (BT 4.2)||ESP32||ESP-WROVER-KIT||bt_spp_acceptor|
|Harman Worldwide (BT 4.1)||JX25X||JBL TUNE500BT||N.A|
|Qualcomm (BT 4.0)||CSR 8811||Laird DVK-BT900-SA||vspspp.server.at|
|Silabs (BT 3.0+HS)||WT32i||DKWT32I-A||ai-6.3.0-1149|
Digging deeper, the researchers found that greater than 1,400 product listings are affected by BrakTooth, and the listing consists of however isn’t restricted to the next forms of gadgets:
- Infotainment techniques
- Laptop computer and desktop techniques
- Audio gadgets (audio system, headphones)
- House leisure techniques
- Industrial tools (e.g. programmable logic controllers – PLCs)
Contemplating the number of merchandise affected, saying that BrakTooth impacts billions of gadgets is probably going an correct estimation.
The researchers say that the danger related to the BrakTooth set of safety flaws ranges from denial-of-service (DoS) by crashing the machine firmware, or a impasse situation the place Bluetooth communication is not potential, to arbitrary code.
Somebody pulling a BrakTooth assault would want an ESP32 growth package, a customized Hyperlink Supervisor Protocol (LMP) firmware, and a pc to run the proof-of-concept (PoC) software.
Of the 16 BrakTooth vulnerabilities, one in every of them tracked as CVE-2021-28139 presents the next danger than others as a result of it permits arbitrary code execution.
It impacts gadgets with an ESP32 SoC circuit, which is present in quite a few IoT home equipment for residence or trade automation.
The researchers exhibit the assault within the video under by altering the state of an actuator utilizing an LMP Function Response Prolonged packet:
Units working on the AX200 SoC from Intel and Qualcomm’s WCN3990 SoC are susceptible to a DoS situation triggered when sending a malformed packet.
The listing of merchandise impacted consists of laptops and desktops from Dell (Optiplex, Alienware), Microsoft Floor gadgets (Go 2, Professional 7, E-book 3), and smartphones (e.g. Pocophone F1, Oppo Reno 5G).
The researchers knowledgeable all distributors whose merchandise they discovered to be susceptible to BrakTooh forward of the publication of their findings however solely a few of them have been patched.
The vulnerabilities within the Braktooth assortment goal the LMP and baseband layers. At present, they’ve been assigned 20 identifiers with a couple of extra pending, and seek advice from the next 16 points:
- Function Pages Execution (CVE-2021-28139 – arbitrary code execution/impasse)
- Truncated SCO Hyperlink Request (CVE-2021-34144 – impasse)
- Duplicated IOCAP (CVE-2021-28136 – crash)
- Function Response Flooding (CVE-2021-28135, CVE-2021-28155, CVE-2021-31717 – crash)
- LMP Auto Price Overflow (CVE-2021-31609, CVE-2021-31612 – crash)
- LMP 2-DH1 Overflow (pending CVE – impasse)
- LMP DM1 Overflow (CVE-2021-34150 – impasse)
- Truncated LMP Accepted (CVE-2021-31613 – crash)
- Invalid Setup Full (CVE-2021-31611 – impasse)
- Host Conn. Flooding (CVE-2021-31785 – impasse)
- Similar Host Connection (CVE-2021-31786 – impasse)
- AU Rand Flooding (CVE-2021-31610, CVE-2021-34149, CVE-2021-34146, CVE-2021-34143 – crash/impasse)
- Invalid Max Slot Sort (CVE-2021-34145 – crash)
- Max Slot Size Overflow (CVE-2021-34148 – crash)
- Invalid Timing Accuracy (CVE-2021-34147 and two extra pending CVEs – crash)
- Paging Scan Impasse (pending CVE – impasse)