Home Internet Security Bluetooth BrakTooth bugs could affect billions of devices

Bluetooth BrakTooth bugs could affect billions of devices


BrakTooth vulnerabilities can enable code execution on affected devices or crash them

Vulnerabilities collectively known as BrakTooth are affecting Bluetooth stacks applied on system-on-a-chip (SoC) circuits from over a dozen distributors.

The set of points influence all kinds of gadgets, from shopper electronics to industrial tools. The related danger ranges from denial-of-service, impasse situation of the machine to arbitrary code execution.

Large number of merchandise impacted

Researchers from the Singapore College of Expertise and Design have revealed particulars about BrakTooth – a brand new household of safety vulnerabilities in industrial Bluetooth stacks.

They assessed 13 Bluetooth gadgets from near a dozen SoC distributors counting Intel, Qualcomm, Texas Devices, and Cypress.

BT SoC Vendor BT SoC Dev. Equipment / Product Pattern Code
Intel (BT 5.2) AX200 Laptop computer Forge15-R N.A
Qualcomm (BT 5.2) WCN3990 Xioami Pocophone F1 N.A
Texas Devices (BT 5.1) CC2564C CC256XCQFN-EM SPPDMMultiDemo
Zhuhai Jieli Expertise (BT 5.1) AC6366C AC6366C_DEMO_V1.0 app_keyboard
Cypress (BT 5.0) CYW20735B1 CYW920735Q60EVB-01 rfcomm_serial_port
Bluetrum Expertise (BT 5.0) AB5301A AB32VG1 Default
Zhuhai Jieli Expertise (BT 5.0) AC6925C XY-WRBT Module N.A
Actions Expertise (BT 5.0) ATS281X Xiaomi MDZ-36-DB N.A
Zhuhai Jieli Expertise (BT 4.2) AC6905X BT Audio Receiver N.A
Espressif Programs (BT 4.2) ESP32 ESP-WROVER-KIT bt_spp_acceptor
Harman Worldwide (BT 4.1) JX25X JBL TUNE500BT N.A
Qualcomm (BT 4.0) CSR 8811 Laird DVK-BT900-SA vspspp.server.at
Silabs (BT 3.0+HS) WT32i DKWT32I-A ai-6.3.0-1149

Digging deeper, the researchers found that greater than 1,400 product listings are affected by BrakTooth, and the listing consists of however isn’t restricted to the next forms of gadgets:

  • Smartphones
  • Infotainment techniques
  • Laptop computer and desktop techniques
  • Audio gadgets (audio system, headphones)
  • House leisure techniques
  • Keyboards
  • Toys
  • Industrial tools (e.g. programmable logic controllers – PLCs)

Contemplating the number of merchandise affected, saying that BrakTooth impacts billions of gadgets is probably going an correct estimation. 

The researchers say that the danger related to the BrakTooth set of safety flaws ranges from denial-of-service (DoS) by crashing the machine firmware, or a impasse situation the place Bluetooth communication is not potential, to arbitrary code.

Somebody pulling a BrakTooth assault would want an ESP32 growth package, a customized Hyperlink Supervisor Protocol (LMP) firmware, and a pc to run the proof-of-concept (PoC) software.

BrakTooth attack scenario

Of the 16 BrakTooth vulnerabilities, one in every of them tracked as CVE-2021-28139 presents the next danger than others as a result of it permits arbitrary code execution.

It impacts gadgets with an ESP32 SoC circuit, which is present in quite a few IoT home equipment for residence or trade automation.

The researchers exhibit the assault within the video under by altering the state of an actuator utilizing an LMP Function Response Prolonged packet:

Units working on the AX200 SoC from Intel and Qualcomm’s WCN3990 SoC are susceptible to a DoS situation triggered when sending a malformed packet.

The listing of merchandise impacted consists of laptops and desktops from Dell (Optiplex, Alienware), Microsoft Floor gadgets (Go 2, Professional 7, E-book 3), and smartphones (e.g. Pocophone F1, Oppo Reno 5G).

The researchers knowledgeable all distributors whose merchandise they discovered to be susceptible to BrakTooh forward of the publication of their findings however solely a few of them have been patched.

Patch state of BrakTooth vulnerabilities affecting Bluetooth stack

The vulnerabilities within the Braktooth assortment goal the LMP and baseband layers. At present, they’ve been assigned 20 identifiers with a couple of extra pending, and seek advice from the next 16 points:

  1. Function Pages Execution (CVE-2021-28139 – arbitrary code execution/impasse)
  2. Truncated SCO Hyperlink Request (CVE-2021-34144 – impasse)
  3. Duplicated IOCAP (CVE-2021-28136 – crash)
  4. Function Response Flooding (CVE-2021-28135, CVE-2021-28155, CVE-2021-31717 – crash)
  5. LMP Auto Price Overflow (CVE-2021-31609, CVE-2021-31612 – crash)
  6. LMP 2-DH1 Overflow (pending CVE – impasse)
  7. LMP DM1 Overflow (CVE-2021-34150 – impasse)
  8. Truncated LMP Accepted (CVE-2021-31613 – crash)
  9. Invalid Setup Full (CVE-2021-31611 – impasse)
  10. Host Conn. Flooding (CVE-2021-31785 – impasse)
  11. Similar Host Connection (CVE-2021-31786 – impasse)
  12. AU Rand Flooding (CVE-2021-31610, CVE-2021-34149, CVE-2021-34146, CVE-2021-34143 – crash/impasse)
  13. Invalid Max Slot Sort (CVE-2021-34145 – crash)
  14. Max Slot Size Overflow (CVE-2021-34148 – crash)
  15. Invalid Timing Accuracy (CVE-2021-34147 and two extra pending CVEs – crash)
  16. Paging Scan Impasse (pending CVE – impasse)

Source link