The embargo period is over for a proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs.
BrakTooth is a collection of flaws affecting commercial Bluetooth stacks on more than 1,400 chipsets used in billions of devices – including smartphones, PCs, toys, internet-of-things (IoT) devices and industrial equipment – that rely on Bluetooth Classic (BT) for communication.
On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds.
— US-CERT (@USCERT_gov) November 4, 2021
The PoC has been made available on the BrakTooth website on GitHub.
As the paper pointed out, all that attackers need to do to pick apart the BrakTooth bugs is an off-the-shelf ESP32 board that can be had for $14.80, (or as low as $4 for an alternative board on AliExpress), custom Link Manager Protocol (LMP) firmware, and a computer to run the PoC tool.
BrakTooth: The Bluetooth Crash Chomper
Researchers from the University of Singapore disclosed the initial group of 16 vulnerabilities (now up to 22), collectively dubbed BrakTooth, in a paper published in September. They found the bugs in the closed commercial BT stack used by 1,400+ embedded chip components and detailed a host of attack types they can cause: Mainly denial of service (DoS) via firmware crashes (the term “brak” is actually Norwegian for “crash”). One of the bugs can also lead to arbitrary code execution (ACE).
Since the paper was published, there have been a number of updates, as vendors have scrambled to patch or to figure out whether or not they will in fact patch, and as researchers have uncovered additional vulnerable devices.
For instance, researchers subsequently discovered that BrakTooth affects iPhones and Macbooks. The bugs also affect Microsoft Surface laptops, Dell desktop PCs and laptops, smartphones from Sony and Oppo, and audio offerings from Walmart and Panasonic, among other devices.
As of September, the team had analyzed 13 pieces of BT hardware from 11 vendors and came up with a list of 20 CVEs, with four CVE assignments pending from Intel and Qualcomm.
As of September, some of the bugs were patched, while others were in the process of being patched. But, as researchers said in the paper, “it is highly probable that many other products (beyond the ≈1400 entries observed in Bluetooth listing) are affected by BrakTooth,” including BT system-on-chips (SoCs), BT modules or additional BT end products.
On Monday, the Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable.
Patches Are Still in the Works
Some devices from Intel, Qualcomm and Samsung are still awaiting patches; and some from Qualcomm and Texas Instruments are listed as “no fix,” as in, the vendors aren’t planning to issue patches. Other vendors are still investigating the issue. A list of known affected vendors can be found in the research paper and below.
An updated list of the affected devices and vendors, plus their patch status, is available here or in the table below.
Bluetooth Should Mind Its Ps & Qs
One expert noted that BrakTooth exemplifies attackers’ “by any means necessary” mentality.
Garret Grajek, CEO of cloud-based access review engine vendor YouAttest, told Threatpost that attackers are poring over surface areas in order to find crevices to dig their fangs into. Bluetooth is nice and permeable, being “a mechanism with the most variants and thus cracks to exploit,” Grajek said via email on Friday.
To stay safe, the obvious advice holds, he said: i.e., patch when necessary.
And as recommended by both CISA and FBI, another key is to apply the principle of least privilege and ensure that the identities that would be compromised in an attack such as BrakTooth couldn’t allow adversaries to cause system damage.
The NIST recommendation is for all accounts, such as the Bluetooth service account, to be “checked to see they are not granted too much privilege to overtake the machine and extend attacks into the enterprise,” Grajek noted.
Make it so, via both access controls and “vigilant access certifications conducted on a periodic basis,” he advised.
No Big Surprise That Legacy Code Is Buggy
Saryu Nayyar, CEO of Gurucul, noted that it’s no surprise that there are a number of vulnerabilities in Bluetooth, “given that it’s a legacy wireless technology.” The real question, she proposed: Can the code be fixed?
“Because phones and PCs use Bluetooth extensively, just about everyone is potentially affected by these vulnerabilities,” she pointed out.
The bugs were found in complex codebases that have been tested for weaknesses “hundreds or thousands of times,” noted Doug Britton, CEO of Haystack Solutions – context that makes clear that we need “nimble” security minds.
“Companies need to keep investing in brains, not tools,” Britton told Threatpost via email. “Companies need to have security minds that can go off script when the attacker does. These nimble security minds are needed in the product vendors (such as those affected by these vulnerabilities) and the companies that utilize these products. Creativity will be needed on the part of product customers to look for potential indicia of attack. “
Keep Your Feelers Out for Nibbles
In an email on Friday, Nayyar recommended that enterprises that choose to allow Bluetooth on their networks should monitor it for abnormal activities. They should also inform employees of the potential for BrakTooth compromise: “Individual users have to be aware of the potential for Bluetooth compromises, but their organizations have to help them,” she added.
In many cases, organizations can identify unusual Bluetooth activity and let users know that there might be a problem, Nayyard suggested. “This is really the only way of identifying and remediating potential attacks against both individual devices and networks in general.”
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops.