Singapore University of Technology and Design researchers have revealed a family of 20 vulnerabilities, which they collectively dubbed BrakTooth, that affect more than 1,400 products based on 13 different Bluetooth devices sold by 11 of the world's leading vendors.
The security flaws were confirmed to affect 1,400 smartphones, laptops, keyboards, headphones, and other Bluetooth-enabled devices. But that's a minimum. "As the BT stack is often shared across many products," the researchers said, "it is highly probable that many other products (beyond the ≈1400 entries observed in Bluetooth listing) are affected by BrakTooth."
BrakTooth can reportedly be exploited to conduct denial of service (DoS) attacks and enable arbitrary code execution (ACE) on target devices. DoS attacks can disrupt the victim's Bluetooth connection or, in some cases, require Bluetooth connectivity to be restarted manually. ACE can be used to erase user data, disable wireless connectivity, or interact with other devices.
The good news: BrakTooth only enables ACE on the ESP32 system on chip (SoC) made by Espressif Systems. The bad news: The ESP32 is commonly found in Internet of Things (IoT) devices as well as industrial systems. The SoC is so common that the researchers' proof of concept exploit actually uses an ESP32 development kit to conduct attacks on target devices.
The researchers said they disclosed BrakTooth to all of the affected vendors. Some companies have already released firmware patches to address the vulnerability, others are investigating the issue, and a few have said they don't plan to fix the flaw. Here's the breakdown:
The Singapore University of Technology and Design researchers said they don't plan to publicly release the full proof of concept exploit until the end of October 2021 because that's when Intel is supposed to patch its devices. They did, however, release instructions for "a low-cost BT Classic (BR/EDR) Active Sniffer" that will use the proof of concept exploit when it's released.