Pierluigi Paganini November 04, 2021

CISA urges vendors to address BrakTooth flaws after researchers have released public exploit code and a proof of concept tool for them.

US CISA is urging vendors to address BrakTooth flaws after security researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against potential Bluetooth exploits.

“On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution.” reads CISA’s advisory.

“CISA encourages manufacturers, vendors, and developers to review BRAKTOOTH: Causing Havoc on Bluetooth Link Manager and update vulnerable Bluetooth System-on-a-Chip (SoC) applications or apply appropriate workarounds.”

BrakTooth is a set of 16 security flaws in commercial Bluetooth stacks that can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.

The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.

As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.

Some vendors like Espressif, Infineon (Cypress), and Bluetrum Technology have already released firmware updates to fix the issues other manufactures, including Intel and Qualcomm, are still assessing their products.

ASSET researchers published a list of impacted vendors along with the current patch status:

The researchers’s PoC tool could be executed with a cheap environment, a commercial ESP32-WROVER-KIT, custom Link Manager Protocol (LMP) firmware, and of course a computer to run the tool.

“As part of our work of reverse engineering ESP32 BT stack, we are releasing to the community a low-cost BT Classic (BR/EDR) Active Sniffer which is available at the following URL:

https://github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer

At the time of writing, this is the cheapest BR/EDR active sniffer, we are aware of due to the low price of ESP32 boards. ESP32-PICO-KIT can be purchased for $14.80  [25], but it is possible to find alternative ESP32 boards on AliExpress for as low as $4.” wrote the researchers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Europol)

[adrotate banner=”5″]

[adrotate banner=”13″]