• United States
Jon Gold
Senior Writer

Researchers show how to exploit Bluetooth Classic security flaws

Nov 16, 20212 mins
Internet of Things

A set of Bluetooth Classic vulnerabilities has a new proof-of-concept from a Singapore-based security research team, as chipset makers scramble to deploy patches.

wireless security vulnerability
Credit: Thinkstock

Researchers at Singapore University of Technology and Design has released a proof-of-concept exploit for a family of vulnerabilities it has dubbed BrakTooth, which affects the software development kit used to program Bluetooth chipsets using the ESP32 standard.

BrakTooth affects the Bluetooth Classic protocol, which is widely used in laptops, smartphones and audio devices. The team says 16 flaws make up BrakTooth, the effects of which, if exploited, range in severity from crashing affected systems to remote code execution.

The most serious flaw, dubbed V1 by the team, targets the ESP32 SoCs used in industrial automation, smart home, and fitness applications, among others. Certain models of MacBooks and iPhones are known to be affected. Because the ESP32 BT Library does not correctly run an out-of-bounds check on certain types of inputs, a malicious request to the system can allow an attacker to inject code onto a vulnerable system and potentially take control.

Other flaws give an attacker a wide range of potential mischief, including forcibly disconnecting Bluetooth devices from one another, using a vulnerable endpoint to crash all connections on a paired device, and shutting down connected audio devices. The attacks take place over the Bluetooth network itself, requiring nothing more than a piece of cheap Bluetooth hardware and a PC.

The team said the total number of vulnerable chipsets could be more than 1,400, which means that devices using those chipsets could be compromised by the BrakTooth flaws. This means that devices ranging from IoT gadgetry to manufacturing equipment to laptops and smartphones are vulnerable. Affected manufacturers include Intel, Texas Instruments and Qualcomm.

Chipset vendors have been informed of the BrakTooth vulnerabilities, and many have already issued patches for use by OEMs or even to the general public at large. The researchers have created a table of who’s updated what, and published BrakTooth proof-of-concept code.

The same group of researchers has been working on Bluetooth security for some time, having previously revealed flaws like SweynTooth in Bluetooth LE. This was a similar group of security issues centered on a lack of sufficient code validation, which was made public in 2019. Many of the products affected by SweynTooth were medical devices, most critically including blood glucose meters and pacemakers. These flaws have mostly been patched, according to the team.