As a widely used communication technology today, wireless Bluetooth technology may affect hundreds of millions of devices around the world if a loophole occurs. If more manufacturers are affected by the vulnerability, the scale of affected equipment may continue to expand. Recently, researchers have discovered that there may be more than billions of Bluetooth devices affected by a series of vulnerabilities called “BrakTooth”.
(Image source: bleepingcomputer website)
Recently, researchers from the Singapore University of Technology and Design discovered 16 vulnerabilities in the Bluetooth traditional (BT) communication system and decided to bundle them together and name them “BrakTooth”. It is reported that these vulnerabilities exist in the basic components of many Bluetooth devices and can be used to perform distributed denial of service (DDoS) attacks and remote code attacks. Therefore, the BrakTooth series of vulnerabilities may affect billions of devices all over the world. “Brak” means “paralysis” or “destruction” in Norwegian.
The researchers said that they are analyzing and testing 13 Bluetooth devices produced by 11 companies. So far, they have discovered 20 CVE vulnerabilities. In addition to the above-mentioned 16 CVE vulnerabilities that have been identified, there are 4 vulnerabilities waiting to obtain CVE numbers.
A wide range of products affected
Researchers from the Singapore University of Technology and Design evaluated 13 Bluetooth devices from more than a dozen system chip (SoC) suppliers including Intel, Qualcomm, Texas Instruments and Cypress through experiments.
The test results show that the device manufacturers known to be affected by the BrakTooth vulnerability include Intel, Cypress, Qualcomm, Texas Instruments, Zhuhai Jie Li Technology, Lanxun Technology, Actions Technology, Espressif Technology, Harman International, and Silicon Labs Technology etc. The Bluetooth chips produced by these companies are widely used in desktops, laptops, smartphones, Internet of Things devices, infotainment systems, audio equipment (headphones, Bluetooth speakers), keyboards and mice, toys, and industrial control equipment (such as programmable logic Controller PLC) and other equipment.
Therefore, researchers conservatively estimate that the vulnerability that appears this time affects at least 1 billion devices worldwide, and attackers using these vulnerabilities can tamper with Bluetooth firmware, block Bluetooth connections, device deadlocks, and arbitrary code execution. Of course, if you want to use these vulnerabilities, you need to connect within the Bluetooth range, so it is unlikely to launch a large-scale and widespread attack. However, if an attacker targets certain companies, the vulnerability of the Bluetooth chip may be one of the breakthrough points, for example, it can be used to disrupt the normal operation of industrial equipment.
Vulnerability threat analysis
First, the most dangerous vulnerability among the 16 known BrakTooth vulnerabilities is CVE-2021-28139. It exists in the ESP32 system chip (System on Chip). ESP32 is a series of low-cost, low-power microcontrollers with WiFi and Bluetooth dual-mode functions. It is developed and provided by Espressif. It is widely used in Internet of Things (IoT) devices and is widely used in industrial equipment, personal equipment and household equipment. Therefore, this vulnerability is regarded as the most influential vulnerability.
Singapore University of Technology and Design explained that this is an “out of bound” vulnerability found in the ESP32 BT library. The researchers wrote in the report that the vulnerability caused the wrongly formatted “LMP Feature Response Extended” data packet to be received, “thereby causing arbitrary 8-character data to be injected.” It is reported that attackers familiar with the firmware layout can use this vulnerability to implement attack.
In the laboratory, researchers can delete data stored in non-volatile random access memory (NVRAM), disable Bluetooth and WiFi connections, and arbitrarily control general-purpose input and output (GPIO) elements through such attacks. GPIO is responsible for receiving the signal of the presence or absence of power from the control switch, etc., and transmitting it to the CPU. This means that the attacker can turn off and on the device at will. This can cause major accidents, especially in industrial production.
Second, the “second most serious” vulnerability reported by researchers is CVE-2021-34147. It exists in Intel AX200 SoC and Qualcomm WCN3990 SoC, these two system chips mainly exist in users’ laptops and smart phones. The researchers explained that an attacker can trigger the vulnerability by calling or sending malicious packets, and can exhaust the SoC by repeating the above operations. A depleted SoC will disable all established connections and even intermittent power outages. This means that the device will enter a very unstable state.
In the laboratory, researchers were able to forcibly cut off Bluetooth devices connected in a slave form on laptops based on Windows and Linux systems, and successfully made Xiaomi Pocophone F1 and OPPO Reno 5G smart phone devices unstable. The researchers added that the Braktooth series of vulnerabilities also contain a major vulnerability that can be used in DDoS attacks, which only exists in Intel’s AX200 SoC series products.
Again, the researchers also tested the recently popular Bluetooth-based audio devices. For example, Xiaomi portable bluetooth speaker MDZ-36-DB, BT headset and BT audio module, etc. In addition, other unbranded Bluetooth audio receivers were also tested. As a result, vulnerabilities such as CVE-2021-31609, CVE-2021-31612, CVE-2021-31613, CVE-2021-31611, CVE-2021-28135, CVE-2021-28155 and CVE-2021-31717 were discovered.
Successful exploitation of these vulnerabilities can cause the device to stop functioning when playing other audio files such as music. Because the researchers could not continue to conduct longer-term experiments, these vulnerabilities were only found in some audio products, but they believe that similar vulnerabilities are likely to exist in other Bluetooth devices. In addition, in addition to the vulnerabilities found so far, there are likely to be more vulnerabilities in the Bluetooth ecosystem.
(Image source: Korea Security News website)
The BrakTooth series of vulnerabilities affect a variety of Bluetooth devices from consumer electronics to industrial equipment. The scope and number of impacts are staggering. Next, Bluetooth chip manufacturers will have to continue to track and analyze vulnerabilities to develop patches to fix vulnerabilities, and then device manufacturers will release updates to help companies and consumers fix vulnerabilities.
Researchers have notified relevant chip manufacturers vulnerable to the BrakTooh series of vulnerabilities before they published these vulnerabilities. At present, some of these vulnerabilities have been repaired, and some are developing patches, and the road to repair may be relatively long.
Until all the vulnerabilities are fixed, the best defense against the vulnerabilities of the BrakTooth series is not to connect any devices you don’t know or trust.
Information about BrakTooth series vulnerabilities
The Braktooth series of vulnerabilities mainly target the link management protocol (LMP) and the baseband layer. Currently, 16 of the Braktooth series of vulnerabilities have been assigned CVE numbers, and 4 are waiting for CVE numbers.