Bluetooth Bugs known as BrakTooth affects Billions of Devices
BrakTooth is a group of 16 different vulnerabilities, which affects billions of devices that rely on Bluetooth Classic for communication. According to a paper from the University of Singapore, the bugs are found in the closed commercial BT stack used by over 1,400 embedded chip components. The vulnerabilities can lead to a denial of service via firmware crashes. One of the bugs can also lead to arbitrary code execution.
There have been 20 CVEs assigned across the BrakTooth flaws with four vulnerabilities pending CVE assignments from Intel and Qualcomm. Some bugs are patched, others are in the process of being patched. It is still highly probable that many other products are affected by BrakTooth including BT system-on-chips, BT modules or additional BT end products.
Researchers found three main attack scenarios for the bugs. The most critical vulnerability, CVE-2021-28139, affects a series of low-cost, low-power SoC microcontrollers with integrated Wi-Fi and dual-mode Bluetooth. These are commonly found in IoT appliances used in industry automation, smart-home device, and personal fitness gadgets. A hacker who knows the firmware layout of a target device can write a known function address to the offset pointed by Features Page field. Researchers successfully erased data housed in devices' non-volatile, random-access memory (NVRAM), which retains data without power. They were also able to disable both BT and Wi-Fi on the device. They were also able to control the general-purpose input/output (GPIO) of the device by knowing addresses to attached functions-controlling actuators.
The second attack scenario can lead to DoS in laptops and smartphones. Researchers were able to do this on devices using Intel AX200 SoCs and Qualcomm WCN3990 SoCs. The DoS bug, CVE-2021-34147, is the result of a failure in the SoC to free resources upon receiving an invalid LMP_timing_accuracy_response from a connected BT device. A hacker can exhaust the SoC by paging, sending malformed packets, or disconnecting without sending LMP_detach.
A third attack scenario affects speakers, Headphone and audio modules. Successful attacks can freeze devices, requiring the user to manually turn on unresponsive devices afterwards. This can be done while the user actively plays music.
Researchers have released a BrakTooth proof-of-concept tool for Bluetooth SoC vendors. BlueTooth vulnerabilities are particularly concerning because of the vast number of bluetooth devices that they can impact, and unfortunately, they're not that uncommon.