BrakTooth is a family of new security vulnerabilities in commercial, closed-source Bluetooth Classic stacks that range from denial of service (DoS) via firmware crashes and deadlocks to arbitrary code execution (ACE) in certain IoT devices.
A team from Singapore has discovered 16 new security vulnerabilities after evaluating 13 Bluetooth devices from 11 vendors, but after browsing through the list of certified Bluetooth devices with impacted processors, they estimate it could impact 1400 devices.
We can see the list of BrakTooth-impacted SoCs include some familiar names like Intel AX200 (found in many laptops and computers through M.2 cards), Espressif Systems ESP32, Texas Instruments CC2564C, Qualcomm CSR8811/CSR8510, Bluetrum AB32VG1 board (based on AB5301A SoC) which I’ve just reviewed, and more…
The good news is that most vendors have either already submitted a patch or working on it.
Espressif, Infineon (previously Cypress), and Bluetrum already have released patchsets for their firmware. It’s really important to update the ESP32 firmware as they were the only vendor subject to arbitrary code execution (ACE). Harman International and Silbas are still shown as pending since the status is unknown.
Qualcomm will work on a fix for WCN3990/8, but not CSR8811/CSR8510, while Texas Instruments will only work on resolving the issues for CC2564C if customers request it as explained below:
The vendor Texas Instruments has successfully replicated the security issue, however, at this stage has no plan for producing a patch. In particular, according to the Texas Instruments PSIRT team, they will consider producing a patch only if demanded by customers.
Our team approached Qualcomm to inquire whether a patch would be available for the affected devices. We were informed that they are working on a fix for WCN3990/8 and that the security issue reported in Qualcomm CSR8811A08 has been fixed since 2011 only for ROM Versions A12 and beyond. However, new products in 2021 are still being listed to use CSR8811A08, which has no plan to be fixed. Moreover, a patch for the issue on CSR8510A10 …. is not possible … due to the lack of ROM patch space.
You may find the full details about the vulnerabilities listed above in the research paper.
You can see how BrakTooth vulnerabilities can be exploited with a denial-of-service attach using a Bluetooth headset as a test device.
The BrakTooth PoC Tool is available to researchers, Bluetooth semiconductor, module, and OEM vendors only until October 30, 2021, after which it will be made public.
Via ThreatPost and thanks to Zoobab for the tip.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
The big cores are 2 generations better than the RK3588. Wonder if MediaTek got a good ARM Linux support.
AFAIK, Cortex A-77 is not that good. So we could say that it’s 1 generation better than RK3588’s Cortex A-76. Too bad it’s Mediatek SoC. Meaning: no linux for you.
> Too bad it’s Mediatek SoC. Meaning: no linux for you
Not true for all MediaTek business units. See the upstreaming efforts around their router SoCs and for exampling them partnering with BayLibre for their ‘AIoT’ offerings…
Also their Chromebook SoCs have pretty good upstreaming efforts. The MT8395 looks very similar to their MT8195 Chromebook SoC; I think many drivers will be usable without significant changes. The word Android is a bit of a red flag, though.
I see. But from what i heard, the jump from A76 to A77 is some of the biggest generational jump. While the jump from A75 to A76 and A77 to A78 are more of a standard/ordinary jump. But i maybe wrong. Anyway, hope we can get better support for Linux from MediaTek and others in the future. The more chip vendors supporting Linux, the merrier.
It does seem like a bunch o’ work to compile Android 13 on it. Is there a RealTek N00B pack like Capstone/Unicorn to flush out all the undisclosed opcodes and whatnot, or is the idea to license the boxed RealTek CN Rust compiler…or simply use GPT3 and hope it’s trained?
Is there no true optimized binary (say, LibC or LINPAC20) for these chips?
It always depends on how you want to characterize the changes. The way I’d describe them, there were significant changes in the previous generations (new microarchitecture in Cortex-A73, new ISA and bus interface in Cortex-A75, new microarchitecture again in Cortex-A76), but between Cortex-A76, -A77, -A78 -X1 and Neoverse N1 I only see optimizations of the same basic design instead of generational jumps.