BrakTooth Bluetooth Vulnerability Crashes Devices, Reveals Need for IoT Device Testing
November 05, 2021
IoT devices are everywhere – including most people’s pockets, workspaces, and living rooms. So hackers invading networks to steal data or hijack electronic devices is a common and justifiable fear.
We have all come to expect that a cheap IP camera could be compromised, but a recent announcement has revealed that even our wireless speakers, smart watches, and other Bluetooth-enabled devices aren’t safe.
Researchers at the Singapore University of Technology and Design (SUTD) recently discovered a suite of vulnerabilities present in at least 1,400 Bluetooth-enabled SoC devices from Intel, Qualcomm, Espressif Systems, and other vendors. And it’s likely that there are many, many more.
The researchers dubbed this family of exploitable vulnerabilities as BrakTooth, “brak” being the Norwegian term for crash.
BrakTooth vulnerabilities are flaws in the link management protocol (LMP) firmware of Bluetooth SoCs that can be used to send malicious code that crashes devices. There are a number of ways attackers or malware could leverage BrakTooth. Let’s go over a couple of them.
One way BrakTooth can compromise a Bluetooth device is a Denial of Service (DoS) attack. Over this attack vector, a hacker sends specially-crafted packets to the target device via its Bluetooth connection. Not being configured to accept these packets, the Bluetooth device firmware accepts the packets but is not able to process them. Eventually, this overwhelms the device’s Bluetooth links and crashes the system.
An illustration of a BrakTooth attack scenario. (Source: https://asset-group.github.io/disclosures/braktooth/)
Hackers could also use BrakTooth to send packets that will lock an audio device through feature flooding. The researchers at SUTD performed this test on two different audio devices — a JBL Tune 500BT headphone set, and a Xiaomi MDZ-36-DB speaker. The speaker completely froze while the headphones shut down, requiring a manual reboot.
Another way it can impact IoT devices is arbitrary code execution.
Bracing for BrakTooth
Unfortunately, there isn’t currently much that can be done to protect your devices from a BrakTooth attack – other than disabling Bluetooth when it’s not being used. But all is not lost.
The researchers who found BrakTooth notified device manufacturers of their findings so steps could be taken to patch the vulnerabilities. So, if you’re a Bluetooth user, which you most likely are, stay on the lookout for device updates as they will likely include manufacturer patches.
But from an engineering perspective, BrakTooth raises larger, testing-related issues.
First, the Bluetooth Core specification contains some gaps in terms of test methods, as it states “A Bluetooth device in test mode shall ignore all LMP commands not related to
control of the test mode.” Many Bluetooth manufacturers therefore likely overlooked the possibility of the LMP being compromised at all.
Still, the onus of connected device security doesn’t fall to the Bluetooth Special Interest Group (Bluetooth SIG). It falls to the solution provider. And, even in 2021, it appears that there is either a lack, or insufficient knowledge, of over-the-air testing tools that could have prevented this bug. That, or time-to-market pressures are so great that testing is simply not thorough enough.
In the meantime, the Cybersecurity and Infrastructure Security Agency released a BrakTooth proof-of-concept tool on GitHub that can be used to test Bluetooth devices for BrakTooth vulnerabilities.
If you’re interested in learning more about BrakTooth, SUTD researchers have launched a microsite detailing their findings here: https://asset-group.github.io/disclosures/braktooth.
If you want to learn more about IoT security best practices, including proper testing methods, register for Embedded Computing Design’s 4th Annual IoT Device Security Conference, held virtually on November 9th.