Researchers have found Bluetooth security flaws affecting at least 1,400 different models of commercial products ranging from laptops, smartphones and IoT devices to commercial aircraft and heavy trucks. The number of affected devices may run into the tens of millions. Unfortunately, some vendors, including Qualcomm and Texas Instruments, don't plan to fix all the flaws.
So says the team from the Singapore University of Technology and Design and Singapore's Agency for Science, Technology and Research, who call their collective discoveries "BrakTooth" and have put up a website explaining it all.
- Hundreds of thousands of home Wi-Fi routers under attack — what to do
- Here are the best Bluetooth speakers
- Plus: Cyberpunk 2077’s Xbox Series X and PS5 updates could slip to 2022
We're not going to delve into the technical details, but suffice it to say there are at least 16 different flaws affecting at least 13 different systems-on-a-chip (SoCs) or chipsets made by at least 11 different manufacturers, among them Intel, Cypress/Infineon, Harman International, Espressif, Silicon Labs and the aforementioned Qualcomm and Texas Instruments.
The flaws could cause software crashes and communications freezes, and could in some cases permit arbitrary code execution — i.e., hacking.
Here's a video provided by the researchers showing an attack that crashes a pair of JBL Tune 500 headphones.
The exact methods of attack will not be publicly disclosed until Oct. 31 to give vendors more time to deploy patches, but manufacturers can ask the researchers for private disclosure in order to test their devices.
"All the vulnerabilities ... can be triggered without any previous pairing or authentication," notes the research paper.
The flaws affect "classic" Bluetooth, i.e. Bluetooth versions 1.0 through 3.0. They do not affect Bluetooth Low Energy (BLE), also called Bluetooth 4.0 through 5.2, which is fundamentally different. However, almost all BLE-compatible devices are compatible with earlier forms of Bluetooth, rendering the devices vulnerable.
In addition to the JBL headphones, devices that the researchers tested themselves and were proven to be vulnerable included a Xiaomi Pocophone F1 smartphone, a Xiaomi MDZ-36-DB Bluetooth speaker and several development kits involving nearly a dozen SoCs.
The researchers figured out that about 1,400 different devices use the vulnerable SocS, including the Microsoft Surface Book 3, Surface Go 2, Surface Laptop 3 and Surface Pro 7; the Dell Optiplex 5070 desktop PC, the Alienware m17 R3 gaming laptop and "many more" Dell PCs; the Sony Xperia XZ2 and Oppo Reno 5G CH1921 smartphones; an Ericsson home-entertainment hub used by professional installers; at least two but likely "many more" Walmart onn.-brand Bluetooth speakers; a Panasonic soundbar; the infotainment systems of some light and commercials airfract, as well as some Volvo heavy trucks; and at least two industrial devices.
"As the BT stack is often shared across many products, it is highly probable that many other products (beyond the 1400 entries observed in Bluetooth listing) are affected by BrakTooth," write the researchers.
Three companies have already released patches for the flaws, including Espressif and Cypress/Infineon, said the researchers. Intel and Qualcomm are developing patches, while other vendors are investigating the research findings.
Unfortunately, since few of these companies make end-user products, in most cases device makers will have to incorporate the patches into their own firmware updates and then pass them on to consumers.
Not all the vendors appear to be cooperating. The researchers said that Harman International and Silicon Labs "hardly communicated with the team and the status of their investigation is unclear at best."
Meanwhile, Texas Instruments "has successfully replicated the security issue," but "will consider producing a patch only if demanded by customers."
Qualcomm is fixing one flaw, as noted above, but the situation is more complicated with another flaw. It's already been fixed on the most recent version of one chipset, but Qualcomm "has no plan" to fix it on older versions, and the flaw can't be fixed on another chipset due to insufficient memory space.