Security researchers at the Singapore University of Technology and Design have found 16 security flaws in commercially used Bluetooth stack implementations, which they summarize under the name “Braktooth”.
According to researchers, these vulnerabilities in the Bluetooth Classic [BR / EDR] protocol can be used to perform a variety of malicious actions, from initiating device failures to executing arbitrary code and taking control of a vulnerable system.
The BrakTooth vulnerabilities affect SoCs from a number of manufacturers, including Intel, Qualcomm, Texas Instruments, Infineon (Cypress), and Silicon Labs.
The researchers examined 13 Bluetooth chipsets from 11 different manufacturers. Since many end devices use the same Bluetooth chips, they assume at least 1,400 affected products. The chips are built into laptops, smartphones, IoT devices or speakers. Overall, the problems are likely to affect billions of devices.
Among the vulnerable devices, experts indicate Microsoft Surface laptops, Dell desktops, as well as several models of smartphones based on Qualcomm chips.
In order to exploit the security gaps, an attacker only needs to be in the vicinity of the vulnerable device. And he needs an “inexpensive ESP32 development kit” with a specific firmware and a PC running the tool. For none of the gaps do you have to pair or authenticate beforehand.
Not every device that uses an affected Bluetooth chipset is unsafe; the researchers made clear. Nevertheless, it may be affected by impaired Bluetooth connectivity. “The overall security of an end-product, which has an internal chipset with firmware flaws, depends on how much the product relies on such a vulnerable chipset for its main functionality.”
The team of scientists informed the manufacturers about the vulnerabilities more than three months ago. However, only Espressif Systems, Infineon and Bluetrum have released the corresponding patches. The Texas Instruments security team said they would only create a patch if customers asked for it. The rest of the vendors are conducting their own investigation and have not yet named the exact dates for the release of the fixes.