Bluetooth (BT) has been under fire in recent years as a result of the revelation of many significant flaws. A novel family of commercial BT stack security vulnerabilities that range from denial of service (DoS) via firmware failures and deadlocks in commodity hardware to arbitrary code execution (ACE) in some IoTs were identified in a recent whitepaper. The paper titled BrakTooth: Causing Havoc on Bluetooth Link Manager was written by researchers from Singapore University of Technology and Design. BrakTooth is the result of combining two words: 1) Brak and 2) Tooth. While the word Tooth obviously refers to Bluetooth devices, the word Brak is Norwegian and means “crash” in English. The BrakTooth family of flaws impact Bluetooth-enabled devices by crashing or deadlocking them on a regular basis, with some resulting in more catastrophic effects such as arbitrary code execution. 13 Bluetooth devices from 11 different suppliers were tested. A total of 16 new security vulnerabilities were discovered with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.

Many of the vulnerabilities have already been patched and the remainder in the process of being replicated and patched. In addition, Espressif System and Xiaomi have offered bug bounties for four of the BrakTooth vulnerabilities. According to a search of the Bluetooth listing, BrakTooth impacts around 1400 product listings. In the closed BT stack, BrakTooth reveals fundamental attack avenues. BrakTooth is likely to affect many more devices (in addition to the 1400 items included in the Bluetooth listing) because the BT stack is frequently common across numerous manufacturers. Suppliers of Bluetooth system-on-chips (SoCs), Bluetooth modules, or Bluetooth end products is recommended to utilize the BrakTooth proof-of-concept (PoC) code to evaluate their BT stack implementation.

Audio appliances (BT Speakers, headsets, ambience, etc.) are among the products seen, as are personal computers/laptop computers, smartphones, and, surprisingly, automotive multimedia electronic control units (PMP3), automotive infotainment systems (Volvo FH), and in-flight audio systems like the AMU6500 were observed. The Qualcomm CSR8811/510 and Silabs WT32i chipsets are used in the Volvo FH and AMU6500, respectively. The Qualcomm CSR8811/510 is unlikely to get a fix and Silicon Labs’ progress of their inquiry into the Silabs WT32i is pending.
Written by Nishat Mowla