Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Sunday November 07 2021, @02:12PM   Printer-friendly
from the you-can't-handle-the-tooth dept.

BrakTooth is a collection of flaws affecting commercial Bluetooth stacks on more than 1,400 chipsets used in billions of devices – including smartphones, PCs, toys, internet-of-things (IoT) devices and industrial equipment – that rely on Bluetooth Classic (BT) for communication.

On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds.

The PoC has been made available on the BrakTooth website on GitHub.

As the paper pointed out, all that attackers need to do to pick apart the BrakTooth bugs is an off-the-shelf ESP32 board that can be had for $14.80, (or as low as $4 for an alternative board on AliExpress), custom Link Manager Protocol (LMP) firmware, and a computer to run the PoC tool.

Researchers from the University of Singapore disclosed the initial group of 16 vulnerabilities (now up to 22), collectively dubbed BrakTooth, in a paper published in September. They found the bugs in the closed commercial BT stack used by 1,400+ embedded chip components and detailed a host of attack types they can cause: Mainly denial of service (DoS) via firmware crashes (the term “brak” is actually Norwegian for “crash”). One of the bugs can also lead to arbitrary code execution (ACE).

Since the paper was published, there have been a number of updates, as vendors have scrambled to patch or to figure out whether or not they will in fact patch, and as researchers have uncovered additional vulnerable devices.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday November 09 2021, @04:52AM

    by Anonymous Coward on Tuesday November 09 2021, @04:52AM (#1194871)

    1) Formal methods doesn't mean your code is correct. Formal methods only prove your code matches the method. It says nothing about if the requirements are correct or if the method itself is bugged or has gaps. If you want a subtraction machine and I go build an adding machine and prove it works using formal methods, so what? Perhaps you try to add a negative number and then we realize my proof doesn't take into account numbers below zero.
    2) It increases the cost of software development by a factor of around 1000. If you want all software development to use formal methods, expect a standard PC to cost more than a house.
    3) Random developers aren't smart enough to use formal methods. If it were adopted, there would be a MASSIVE shortage of developers.

    Software is so buggy because it's complexity increases like crazy. To write high quality software, over 80% of your code will be error handling and writing in that style is truly annoying and isn't needed most of the time. Plus what should you do if you have an error when saving a file while the program is exiting. Should you somehow halt exiting and thus perhaps prevent the machine for shutting down? If the drive is full and the user can't save and can't log out and can't open another program, WTF is your calculator app supposed to do when it's trying to store your last calculation so if you reopen it you'll be where you left off? If you want truly robust software the developers have to deal with nearly non-existent edge cases like that.