Researchers at Singapore University of Technology and Design has released a proof-of-concept exploit for a family of vulnerabilities it has dubbed BrakTooth, which affects the software development kit used to program Bluetooth chipsets using the ESP32 standard.\nBrakTooth affects the Bluetooth Classic protocol, which is widely used in laptops, smartphones and audio devices. The team says 16 flaws make up BrakTooth, the effects of which, if exploited, range in severity from crashing affected systems to remote code execution.\nThe most serious flaw, dubbed V1 by the team, targets the ESP32 SoCs used in industrial automation, smart home, and fitness applications, among others. Certain models of MacBooks and iPhones are known to be affected. Because the ESP32 BT Library does not correctly run an out-of-bounds check on certain types of inputs, a malicious request to the system can allow an attacker to inject code onto a vulnerable system and potentially take control.\nOther flaws give an attacker a wide range of potential mischief, including forcibly disconnecting Bluetooth devices from one another, using a vulnerable endpoint to crash all connections on a paired device, and shutting down connected audio devices. The attacks take place over the Bluetooth network itself, requiring nothing more than a piece of cheap Bluetooth hardware and a PC.\nThe team said the total number of vulnerable chipsets could be more than 1,400, which means that devices using those chipsets could be compromised by the BrakTooth flaws. This means that devices ranging from IoT gadgetry to manufacturing equipment to laptops and smartphones are vulnerable. Affected manufacturers include Intel, Texas Instruments and Qualcomm.\nChipset vendors have been informed of the BrakTooth vulnerabilities, and many have already issued patches for use by OEMs or even to the general public at large. The researchers have created a table of who\u2019s updated what, and published BrakTooth proof-of-concept code.\nThe same group of researchers has been working on Bluetooth security for some time, having previously revealed flaws like SweynTooth in Bluetooth LE. This was a similar group of security issues centered on a lack of sufficient code validation, which was made public in 2019. Many of the products affected by SweynTooth were medical devices, most critically including blood glucose meters and pacemakers. These flaws have mostly been patched, according to the team.