The restriction on a proof-of-concept (PoC) tool to test for the recently found BrakTooth faults in Bluetooth devices has expired, and the experts who identified them have published both the test kit as well as full exploit code for the problems.
BrakTooth is a collection of defects impacting commercial Bluetooth stacks on over 1,400 chipsets being used billions of devices based on Bluetooth Classic (BT) for communication, like smartphones, PCs, toys, internet-of-things (IoT) devices, and industrial facilities.
CISA asked manufacturers, suppliers, and programmers to patch or use workarounds on Thursday.
The PoC is now accessible on the BrakTooth website on GitHub.
According to the article, all attackers need to pick apart the BrakTooth issues is a $14.80 off-the-shelf ESP32 board (or as little as $4 for an alternate board on AliExpress), modified Link Manager Protocol (LMP) software, and a desktop to run the PoC tool.
The Bluetooth Crash Chomper, BrakTooth
In a report released in September, experts from the University of Singapore exposed the initial collection of 16 vulnerabilities (now up to 22), collectively termed BrakTooth. They discovered the flaws in the closed commercial BT stack utilized by over 1,400 embedded chip components and described a variety of attack techniques that can result: The most common type of denial of service (DoS) is caused by firmware crashes (the term “brak” is Norwegian for “crash”). One of the flaws may also result in arbitrary code execution (ACE).
There have been a lot of changes since the study was released, as companies have hurried to patch or determine whether or not they will patch, and as experts have discovered other susceptible devices.
Researchers, for example, later revealed that BrakTooth damages iPhones as well as Macbooks. The flaws also impact Microsoft Surface computers, Dell desktop PCs and laptops, Sony and Oppo smartphones, and Walmart and Panasonic audio products, among other gadgets.
As of September, the team has assessed 13 pieces of BT hardware from 11 vendors and identified 20 CVEs, with four CVE designations from Intel and Qualcomm still waiting.
Qualcomm has since provided CVEs for V6 (8.6) and V15 (8.15).
Some of the problems have been addressed as of September, while the others were in the process of being patched. However, according to the researchers, “it is quite likely that many other items (beyond the 1400 entries detected in Bluetooth listing) are impacted by BrakTooth,” including BT system-on-chips (SoCs), BT modules, or extra BT end products.
After chipset suppliers Airoha, Mediatek, and Samsung acknowledged that some of their devices are susceptible, the Singapore researchers updated their table of impacted devices on Monday.
Bluetooth Should Mind Its Ps & Qs
According to one analyst, BrakTooth shows attackers’ “by any means necessary” mindset.
According to Garret Grajek, CEO of cloud-based access review engine company YouAttest, attackers are pouring over surface areas looking for fissures to sink their teeth into. Bluetooth is good and permeable since it is “the mechanism with the most variants and thus cracks to exploit,” Grajek explained in an email on Friday.
To keep secure, he continued, the usual advice applies patch when necessary.
Another important factor, as advocated by both CISA as well as the FBI, is to follow the principle of least privilege and guarantee that the identities that would be compromised in an attack like BrakTooth could not allow attackers to do the system harm.
According to Grajek, the NIST recommends that all accounts, including the Bluetooth service account, be “checked to see they are not granted too much privilege to overtake the machine and extend attacks into the enterprise.”
Make it so via access restrictions and “vigilant access certifications conducted on a periodic basis,” he suggested.
Keep Your Feelers Out for Nibbles
In an email sent on Friday, Nayyar advised businesses that opt to enable Bluetooth on their networks to keep an eye out for unusual activity. Employees should also be made aware of the possibility of BrakTooth compromise: “Individual users have to be aware of the potential for Bluetooth compromises, but their organizations have to help them,” she says.
In many circumstances, companies can detect odd Bluetooth activity and notify consumers that there may be an issue, according to Nayyar. “This is really the only way of identifying and remediating potential attacks against both individual devices and networks in general.”