Revisiting BrakTooth: Two Months Later

Published: 2021-11-01
Last Updated: 2021-11-02 00:01:35 UTC
by Yee Ching Tok (Version: 1)
0 comment(s)

I had previously written about the impacts and implications of BrakTooth in a previous diary [1]. As a brief recap, BrakTooth is a family of Bluetooth Classic vulnerabilities that were mainly caused by non-compliance to Bluetooth Core Specifications and their respective communication protocol layers. It has been about 2 months since BrakTooth was announced, so let us take a look at how things have progressed so far.

Affected vendors highlighted in the previous diary [1]  have made some progress. With reference to Table 1 below, the summary of vulnerabilities, anomalies, devices and patch status are outlined (text in red are the changes since the previous diary entry).

Table 1: Patch Status, Vulnerabilities and SDK/Firmware Version of Affected Devices (*Contact vendor to acquire patch)
SoC/Module Vendor Bluetooth SoC Firmware/SDK Version CVE/Anomaly (A) Patch Status
Espressif Systems ESP32 esp-idf-4.4

CVE-2021-28135
CVE-2021-28136
CVE-2021-28139

A1: Accepts lower Link Manager Protocol (LMP) length

Available [2], [3]
Infineon (Cypress) CYW20735B1 WICED SDK 2.9.0

CVE-2021-34145
CVE-2021-34146
CVE-2021-34147
CVE-2021-34148

A2: Accepts higher LMP length
A6: Ignore encryption stop

Available*
Bluetrum Technology AB5301A Unspecified (LMP Subver. 3)

CVE-2021-34150
CVE-2021-31610

A1: Accepts lower LMP length
A2: Accepts higher LMP length

Available*
Intel AX200

Linux - ibt-12-16.ddc
Windows - 22.40.0

2 CVE IDs pending

A1: Accepts lower LMP length
A2: Accepts higher LMP length
A5: Invalid Response

To be announced (TBA)
Qualcomm WCN3990 crbtfw21.tlv, patch 0x0002

CVE-2021-30348

A1: Accepts lower LMP length
A2: Accepts higher LMP length
A4: Ignore Role Switch Reject

TBA
Zhuhai Jieli Technology AC6366C fw-AC63_BT_SDK 0.9.0

CVE-2021-34143
CVE-2021-34144

A1: Accepts lower LMP length
A2: Accepts higher LMP length

Available [4]
Zhuhai Jieli Technology AC6925C Unspecified (LMP Subver. 12576)

CVE-2021-31611
CVE-2021-31613

A1: Accepts lower LMP length
A2: Accepts higher LMP length

Investigation in progress
Zhuhai Jieli Technology AC6905X Unspecified (LMP Subver. 12576)

CVE-2021-31611
CVE-2021-31612
CVE-2021-31613

A1: Accepts lower LMP length
A2: Accepts higher LMP length

Investigation in progress
Actions Technology ATS281X Unspecified (LMP Subver. 5200)

CVE-2021-31717
CVE-2021-31785
CVE-2021-31786

A1: Accepts lower LMP length
A2: Accepts higher LMP length

Investigation in progress
Harman International JX25X Unspecified (LMP Subver. 5063)

CVE-2021-28155

A1: Accepts lower LMP length
A2: Accepts higher LMP length

Patch in progress
Silabs WT32i iWRAP 6.3.0 build 1149

CVE-2021-31609

A1: Accepts lower LMP length
A2: Accepts higher LMP length

Investigation in progress
Qualcomm

CSR8811/
CSR8510

v9.1.12.14

CVE-2021-35093

A1: Accepts lower LMP length
A2: Accepts higher LMP length

No fix
Texas Instruments CC2564C cc256xc_bt_sp_v1.4

CVE-2021-34149

A1: Accepts lower LMP length
A2: Accepts higher LMP length

No fix

The various patch statuses are explained as follows:

Available: The vendor has replicated the vulnerability and a patch is available.
To be announced (TBA): The vendor has produced a patch for internal testing and validation, but has yet to release such patch to the general public.
Patch in progress: The vendor has successfully replicated the vulnerability and a patch will be available soon.
Investigation in progress: The vendor is currently investigating the security issue and is being assisted by the researchers.
Pending: The vendor hardly communicated with the researchers and the status of their investigation is unclear at best. No patch is in pending state as of November 1st, 2021.
No fix: The vendor has successfully replicated the issue, but there is no plan to release a patch.

A new category – To be announced – was introduced as part of the classification of patch status.  With reference to Table 1, Intel and Qualcomm had produced a patch for internal testing and validation, but had not released it to users. For AC6366C manufactured by Zhuhai Jieli Technology, a fix was made available. Meanwhile, a patch for JX25X from Harman International is being worked on. Finally, WT32i from Silabs is investigating the issue. In addition, three vendors (Samsung, Mediatek and Airoha) have independently tested their products and assessed that some of their products are affected by BrakTooth. However, the exact Bluetooth System-on-Chips (SoC) or firmware versions affected were not provided to the researchers.

Why is an update and retrospection of BrakTooth necessary? Previously, the Automated Systems SEcuriTy (ASSET) Research Group from Singapore University of Technology and Design (SUTD) had embargoed their Proof-of-Concept (PoC) code till October 31st, 2021. The PoC code has now been made available publicly, and thus could affect unpatched Bluetooth Classic devices. For end users and organizations, it is strongly recommended to update affected devices if a patch is available. For devices that have patches to be announced or in progress, it is highly recommended that users keep a close watch on the availability of the patches and apply them once they are available.

Users should also be cognizant of the possibility that other Bluetooth Classic products (other than the ones outlined in Table 1) could be affected by BrakTooth as the Bluetooth Classic stack is likely to be shared amongst many products. Prior recommendations suggested in my previous diary to identify, address and mitigate the risks of BrakTooth are still applicable [1].

References:
[1] https://isc.sans.edu/diary/27802
[2] https://www.espressif.com/sites/default/files/advisory_downloads/AR2021-004%20Bluetooth%20Security%20Advisory.pdf
[3] https://github.com/espressif/esp-idf/tree/bf71f494a165aba5e5365e17e1e258598d9fc172
[4] https://github.com/Jieli-Tech/fw-AC63_BT_SDK/commit/d1fdd03c167f416aaa5791b1325527791e0ab705

-----------
Yee Ching Tok, ISC Handler
Personal Site
Twitter

0 comment(s)
ISC Stormcast For Monday, November 1st, 2021 https://isc.sans.edu/podcastdetail.html?id=7736

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives