Revisiting BrakTooth: Two Months Later

I had previously written about the impacts and implications of BrakTooth in a previous diary [1]. As a brief recap, BrakTooth is a family of Bluetooth Classic vulnerabilities that were mainly caused by non-compliance to Bluetooth Core Specifications and their respective communication protocol layers. It has been about 2 months since BrakTooth was announced, so let us take a look at how things have progressed so far.

Affected vendors highlighted in the previous diary [1] have made some progress. With reference to Table 1 below, the summary of vulnerabilities, anomalies, devices and patch status are outlined (text in red are the changes since the previous diary entry).

**Table 1:** Patch Status, Vulnerabilities and SDK/Firmware Version of Affected Devices (*Contact vendor to acquire patch)
SoC/Module Vendor	Bluetooth SoC	Firmware/SDK Version	CVE/Anomaly (A)	Patch Status
Espressif Systems	ESP32	esp-idf-4.4	CVE-2021-28135 CVE-2021-28136 CVE-2021-28139 A1: Accepts lower Link Manager Protocol (LMP) length	Available [2], [3]
Infineon (Cypress)	CYW20735B1	WICED SDK 2.9.0	CVE-2021-34145 CVE-2021-34146 CVE-2021-34147 CVE-2021-34148 A2: Accepts higher LMP length A6: Ignore encryption stop	Available*
Bluetrum Technology	AB5301A	Unspecified (LMP Subver. 3)	CVE-2021-34150 CVE-2021-31610 A1: Accepts lower LMP length A2: Accepts higher LMP length	Available*
Intel	AX200	Linux - ibt-12-16.ddc Windows - 22.40.0	2 CVE IDs pending A1: Accepts lower LMP length A2: Accepts higher LMP length A5: Invalid Response	To be announced (TBA)
Qualcomm	WCN3990	crbtfw21.tlv, patch 0x0002	CVE-2021-30348 A1: Accepts lower LMP length A2: Accepts higher LMP length A4: Ignore Role Switch Reject	TBA
Zhuhai Jieli Technology	AC6366C	fw-AC63_BT_SDK 0.9.0	CVE-2021-34143 CVE-2021-34144 A1: Accepts lower LMP length A2: Accepts higher LMP length	Available [4]
Zhuhai Jieli Technology	AC6925C	Unspecified (LMP Subver. 12576)	CVE-2021-31611 CVE-2021-31613 A1: Accepts lower LMP length A2: Accepts higher LMP length	Investigation in progress
Zhuhai Jieli Technology	AC6905X	Unspecified (LMP Subver. 12576)	CVE-2021-31611 CVE-2021-31612 CVE-2021-31613 A1: Accepts lower LMP length A2: Accepts higher LMP length	Investigation in progress
Actions Technology	ATS281X	Unspecified (LMP Subver. 5200)	CVE-2021-31717 CVE-2021-31785 CVE-2021-31786 A1: Accepts lower LMP length A2: Accepts higher LMP length	Investigation in progress
Harman International	JX25X	Unspecified (LMP Subver. 5063)	CVE-2021-28155 A1: Accepts lower LMP length A2: Accepts higher LMP length	Patch in progress
Silabs	WT32i	iWRAP 6.3.0 build 1149	CVE-2021-31609 A1: Accepts lower LMP length A2: Accepts higher LMP length	Investigation in progress
Qualcomm	CSR8811/ CSR8510	v9.1.12.14	CVE-2021-35093 A1: Accepts lower LMP length A2: Accepts higher LMP length	No fix
Texas Instruments	CC2564C	cc256xc_bt_sp_v1.4	CVE-2021-34149 A1: Accepts lower LMP length A2: Accepts higher LMP length	No fix

The various patch statuses are explained as follows:

Available: The vendor has replicated the vulnerability and a patch is available.
To be announced (TBA): The vendor has produced a patch for internal testing and validation, but has yet to release such patch to the general public.
Patch in progress: The vendor has successfully replicated the vulnerability and a patch will be available soon.
Investigation in progress: The vendor is currently investigating the security issue and is being assisted by the researchers.
Pending: The vendor hardly communicated with the researchers and the status of their investigation is unclear at best. No patch is in pending state as of November 1st, 2021.
No fix: The vendor has successfully replicated the issue, but there is no plan to release a patch.

A new category – To be announced – was introduced as part of the classification of patch status. With reference to Table 1, Intel and Qualcomm had produced a patch for internal testing and validation, but had not released it to users. For AC6366C manufactured by Zhuhai Jieli Technology, a fix was made available. Meanwhile, a patch for JX25X from Harman International is being worked on. Finally, WT32i from Silabs is investigating the issue. In addition, three vendors (Samsung, Mediatek and Airoha) have independently tested their products and assessed that some of their products are affected by BrakTooth. However, the exact Bluetooth System-on-Chips (SoC) or firmware versions affected were not provided to the researchers.

Why is an update and retrospection of BrakTooth necessary? Previously, the Automated Systems SEcuriTy (ASSET) Research Group from Singapore University of Technology and Design (SUTD) had embargoed their Proof-of-Concept (PoC) code till October 31st, 2021. The PoC code has now been made available publicly, and thus could affect unpatched Bluetooth Classic devices. For end users and organizations, it is strongly recommended to update affected devices if a patch is available. For devices that have patches to be announced or in progress, it is highly recommended that users keep a close watch on the availability of the patches and apply them once they are available.

Users should also be cognizant of the possibility that other Bluetooth Classic products (other than the ones outlined in Table 1) could be affected by BrakTooth as the Bluetooth Classic stack is likely to be shared amongst many products. Prior recommendations suggested in my previous diary to identify, address and mitigate the risks of BrakTooth are still applicable [1].

References:
[1] https://isc.sans.edu/diary/27802
[2] https://www.espressif.com/sites/default/files/advisory_downloads/AR2021-004%20Bluetooth%20Security%20Advisory.pdf
[3] https://github.com/espressif/esp-idf/tree/bf71f494a165aba5e5365e17e1e258598d9fc172
[4] https://github.com/Jieli-Tech/fw-AC63_BT_SDK/commit/d1fdd03c167f416aaa5791b1325527791e0ab705

-----------
Yee Ching Tok, ISC Handler
Personal Site
Twitter

Yee Ching

19 Posts
ISC Handler

Nov 2nd 2021

Thread locked Subscribe

Nov 2nd 2021
1 month ago