BrakTooth vulnerabilities put Bluetooth users at risk – and some devices are going unpatched

Qualcomm, Texas Instruments alleged to be leaving Bluetooth chips open to attack


White-hat hackers have disclosed a bunch of security vulnerabilities, dubbed BrakTooth, affecting commercial Bluetooth devices - and are raising red flags about some vendors' unwillingness to patch the flaws.

"Today we released BrakTooth," said the ASSET (Automated Systems Security) Research Group at the Singapore University of Technology and Design, "a family of 16 new security vulnerabilities (20+ CVEs) in commercial Bluetooth Classic (BR/EDR) stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE)."

The team added: "BrakTooth affects major system-on-chip (SoC) vendors such as Intel, Qualcomm, Texas Instruments, Infineon (Cypress), Silicon Labs, among others."

Representing an estimated 1,400 or more commercial products, including Microsoft's Surface Pro 7, Surface Laptop 3, Surface Book 3, and Surface Go 2 and the Volvo FH infotainment system, the BrakTooth vulnerabilities are claimed to expose "fundamental attack vectors in the closed BT [Bluetooth] stack." It's not the first time the same team has made such claims, either: ASSET was also responsible for disclosing the SweynTooth vulnerabilities in February last year.

Unpatched chips are still appearing in brand-new products around the world

While all 16 vulnerabilities have been reported to vendors, the responses received vary considerably. Espressif, whose popular ESP32 microcontroller family was affected, was one of the first to release a patch closing the holes, along with Bluetrum Technology and Infineon. Intel, Actions, and Zhuhai Jieli Technology have confirmed they are either investigating the flaws or actively developing patches.

Harman International and SiLabs, by contrast, "hardly communicated with the team," the researchers claimed, "and the status of their investigation is unclear at best."

Worse news came from Texas Instruments and Qualcomm, however: the former stated outright that it will not produce a patch for the flaws unless "demanded by customers," while the latter is patching only one of its affected parts - despite the unpatched chips still appearing in brand-new products around the world.

Exactly what the unpatched vulnerabilities will let an attacker do varies from device to device, but none of the possibilities are good.

The team has shown off arbitrary code execution on an ESP32 microcontroller, commonly found in Internet of Things (IoT) devices which are rarely if ever updated by their manufacturers, denial of service attacks against laptops and smartphones with the Intel AX200 and Qualcomm WCN3390 chips, and the ability to freeze or shut down headphones and other Bluetooth audio devices.

One might want to be more aware of one's surroundings when using Bluetooth

To assist vendors in fixing the flaws, the ASSET team has written a proof-of-concept attack tool - but to delay the inevitable has stated that it will be available only to those willing to supply "certain basic information (job role, organisation, and valid email)" proving the legitimacy of their interest.

"How should everyone handle the usage of Bluetooth devices, especially if the devices used are affected by BrakTooth? As a start," Yee Ching Tok, handler at the Internet Storm Center (ISC), wrote in an analysis of the disclosure, "one might want to be more aware of one's surroundings when using Bluetooth.

"Since BrakTooth is based on the Bluetooth Classic protocol, an adversary would have to be in the radio range of the target to execute the attacks. As such, secured facilities should have a lower risk as compared to public areas (assuming no insiders within secured facilities). Having said that, this could also be a difficult task if an adversary manages to conceal the equipment well, though that would affect the range of Bluetooth connectivity."

Full technical details are available on the BrakTooth website. Qualcomm and Texas Instruments were approached for comment on their decisions to leave devices unpatched, but had not responded in time for publication. ®

Similar topics


Other stories you might like

  • The future: Windows streaming through notched Apple screens

    Choice is the word for Jamf's Dean Hager

    Interview As Apple's devices continue to find favour with enterprise users, the fortress that is Windows appears to be under attack in the corporate world.

    Speaking to The Register as the Jamf Nation User Conference wound down, the software firm's CEO, Dean Hager, is - unsurprisingly - ebullient when it comes to the prospects for Apple gear in the world of suits.

    Jamf specialises in device management and authentication, and has long been associated with managing Apple hardware in business and education environments. In recent years it has begun connecting its products with services such as Microsoft's Azure Active Directory as administrators face up to a hybrid working future.

    Continue reading
  • There’s a wave of ransomware coming down the pipeline. What can you do about it?

    AI can help. Here’s how…

    Sponsored The Colonial Pipeline attack earlier this year showed just how devastating a ransomware attack is when it is targeted at critical infrastructure.

    It also illustrated how traditional security techniques are increasingly struggling to keep pace with determined cyber attackers, whether their aim is exfiltrating data, extorting organisations, or simply causing chaos. Or, indeed an unpleasant combination of all three.

    So, what are your options? More people looking for more flaws isn’t going to be enough – there simply aren’t enough skilled people, there are too many bugs, and there are way too many attackers. So, it’s clear that smart cyber defenders need to be supplemented by even smarter technology incorporating AI. You can learn what this looks like by checking out this upcoming Regcast, “Securing Critical Infrastructure from Cyber-attack” on October 28 at 5pm.

    Continue reading
  • Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal

    Or so says infsec outfit Emsisoft

    Hurling online abuse at ransomware gangs may have contributed to a hardline policy of dumping victims' data online, according to counter-ransomware company Emsisoft.

    Earlier this month, the Conti ransomware gang declared it would publish victims' data and break off ransom negotiations if anyone other than "respected journalist and researcher personalities" [sic] dared publish snippets of ransomware negotiations, amid a general hardening of attitudes among ransomware gangs.

    Typically these conversation snippets make it into the public domain because curious people log into ransomware negotiation portals hosted by the criminals. The BlackMatter (aka DarkSide) gang's portal credentials (detailed in a ransom note) became exposed to the wider world, however, and the resulting wave of furious abuse hurled at the crims prompted them to pull up the virtual drawbridge.

    Continue reading

Biting the hand that feeds IT © 1998–2021