Brak Tooth Bluetooth Bugs Bite: Exploit Code, PoC Released!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

The embargo period is over for a proof-of-concept (PoC) tool to test for the recently revealed Brak Tooth flaws in Bluetooth devices, & the researchers who discovered them have released both the test kit & full exploit code for the bugs.

The US CISA is urging vendors to patch, given the release of public exploit code & a proof of concept tool for bugs that open billions of devices – phones, PCs, toys, etc. – to DoS & code execution.

Flaws

Brak Tooth is a collection of flaws affecting commercial Bluetooth stacks on more than 1,400 chipsets used in billions of devices – including smartphones, PCs, toys, internet-of-things (IoT) devices & industrial equipment – that rely on Bluetooth Classic (BT) for communication.

On Thur., CISA urged manufacturers, vendors & developers to patch or employ workarounds.

The PoC has been made available on the Brak Tooth website on GitHub.

As the paper pointed out, all that attackers need to do to unravel the Brak Tooth bugs is an off-the-shelf ESP32 board that can be obtained for $14.80, (or as low as $4 for an alternative board on AliExpress), custom Link Manager Protocol (LMP) firmware, & a computer to run the PoC tool.

The Bluetooth Crash

Researchers from the University of Singapore disclosed the initial group of 16 vulnerabilities (now up to 22), collectively dubbed Brak Tooth, in a paper published in Sept.

They found the bugs in the closed commercial BT stack used by 1,400+ embedded chip components & detailed a host of attack types they can cause: Mainly denial of service (DoS) via firmware crashes (the term “brak” is actually Norwegian for “crash”). One of the bugs can also lead to arbitrary code execution (ACE).

Number of Updates

Since the paper was published, there have been a number of updates, as vendors have scrambled to patch or to work out whether or not they will in fact patch, & as researchers have uncovered additional vulnerable devices.

For instance, researchers subsequently discovered that Brak Tooth affects iPhones & Macbooks. The bugs also affect Microsoft Surface laptops, Dell desktop PCs & laptops, smartphones from Sony & Oppo, & audio offerings from Walmart & Panasonic, among other devices.

As of Sept., the team had analysed 13 pieces of BT hardware from 11 vendors & produced a list of 20 CVEs, with 4 CVE assignments pending from Intel & Qualcomm.

Since then, Qualcomm has issued CVEs for V6 (8.6) & V15 (8.15).

Highly Probable

As of Sept., some of the bugs were patched, while others were in the process of being patched. As researchers explained in the paper, “it is highly probable that many other products (beyond the ≈1400 entries observed in Bluetooth listing) are affected by Brak Tooth,” including BT system-on-chips (SoCs), BT modules or additional BT end products.

On Mon., the Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek & Samsung reported that some of their devices are vulnerable.

Patches

Some devices from Intel, Qualcomm & Samsung are still awaiting patches; & some from Qualcomm and Texas Instruments are listed as “no fix,” as in, the vendors are not planning to issue patches. Other vendors are still investigating the issue. A list of known affected vendors can be found in the research paper.

An updated list of the affected devices & vendors, plus their patch status, is available here.

Bluetooth Should Be Careful

One expert noted that Brak Tooth exemplifies attackers’ “by any means necessary” mentality.

Garret Grajek, CEO of cloud-based access review engine vendor You Attest, explained that attackers are poring over surface areas in order to find defects. Bluetooth is nice & permeable, being “a mechanism with the most variants & thus cracks to exploit,” Grajek stated via email on Fri.

To stay safe, the obvious advice holds, he outlined: i.e., patch when necessary.

US CISA & FBI

As recommended by both the US CISA & FBI, another key is to apply the principle of least privilege & ensure that the identities that would be compromised in an attack such as Brak Tooth could not allow adversaries to cause system damage.

The NIST recommendation is for all accounts, such as the Bluetooth service account, to be “checked to see they are not granted too much privilege to overtake the machine & extend attacks into the enterprise,” Grajek noted.

Make it so, via both access controls & “vigilant access certifications conducted on a periodic basis,” he advised.

Legacy Code Is Buggy

Saryu Nayyar, CEO of Gurucul, noted that it is no surprise that there are a number of vulnerabilities in Bluetooth, “given that it’s a legacy wireless technology.” The real question, she proposed: Can the code be fixed?

“Because phones & PCs use Bluetooth extensively, just about everyone is potentially affected by these vulnerabilities,” she pointed out.

The bugs were found in complex codebases that have been evaluated for weaknesses “100s or 1,000s of times,” noted Doug Britton, CEO of Haystack Solutions – context that makes clear that we need “nimble” security minds.

Investing in Brains

“Companies need to keep investing in brains, not tools,” Britton advised.

“Companies need to have security minds that can go off script when the attacker does. These nimble security minds are needed in the product vendors (such as those affected by these vulnerabilities) & the companies that use these products. Creativity will be needed on the part of product customers to look for potential indicia of attack.“

Keep Your Feelers Out

In an email on Fri., Nayyar recommended that enterprises that choose to allow Bluetooth on their networks should monitor it for abnormal activities.

They should also inform employees of the potential for Brak Tooth compromise: “Individual users have to be aware of the potential for Bluetooth compromises, but their organisations have to help them,” she added.

In many cases, organisations can identify unusual Bluetooth activity & let users know that there might be a problem, Nayyard suggested.

“This is really the only way of identifying & remediating potential attacks against both individual devices & networks in general.”

Virtual Conference November 2021

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds