Braktooth Hunting in the Car Hacker’s Wonderland
INTRODUCTION
Years ago, a team of researchers at SUTD (Asset-Group) discovered and disclosed a family of vulnerabilities in the classic Bluetooth link manager layer. They released a paper and proof-of-concept (POC) named "Braktooth: Causing Havoc on Bluetooth Link Manager". The paper is very detailed and enjoyable to read, and I highly recommend it to anyone interested in Bluetooth security. Braktooth is the codename for a set of 16 classic Bluetooth vulnerabilities that can cause devices to continuously crash or deadlock. In at least one case, attackers can remotely execute arbitrary code and erase all data on the targeted devices. These vulnerabilities are present in various Bluetooth chipsets across many manufacturers, including Intel, Qualcomm, TI, Infineon, and others.
Since my primary focus is on vehicle security, one aspect of the Braktooth paper immediately caught my attention. The paper notes that Braktooth not only affects laptops and smartphones but also impacts infotainment units in automobiles and even audio systems in airplanes.
For in-vehicle infotainment (IVI) systems, the paper specifically mentions the Volvo FH as an example. This led me to wonder whether other popular cars are also affected by Braktooth.
FIRST-BLOOD
Before diving into testing with cars, we need to familiarize ourselves with Braktooth. Setting up the actual environment is quite straightforward. According to the paper, certain chipsets from MediaTek are affected. My Lenovo L14 laptop uses a Ralink chipset for Bluetooth communication. Since Ralink is part of the MediaTek group, it is an ideal candidate for testing. Since there are 16 proof-of-concepts (POCs) for the Braktooth vulnerabilities, we need to test each one. We found that one particular vulnerability, called Invalid-Timing-Accuracy, almost always works. Vulnerable chipsets fail to properly handle the reception of a malformed LMP timing accuracy response, especially when followed by multiple reconnections to the target link slave.
This vulnerability allows attackers to exhaust the Bluetooth resources of the target device. The attacker can trigger a crash or disrupt other Bluetooth devices connected to the target chipset. The best part is that the attacker only needs to know the BDAddress of the target device—no authentication is required to launch the attack. As demonstrated in the video below, the Bluetooth connection between the Thinkpad laptop and the speaker stops functioning and eventually disconnects.
INVESTIGATION
The easiest place to start is to have the car components on the test bench. For example, we have a second-hand Nissan IVI in the lab. After running the Invalid-Timing-Accuracy POC, we observed that the Nissan IVI froze and could no longer detect any nearby Bluetooth devices.
Another place to look for potential targets is the parking lot. If approached politely, most people are often interested in seeing if their cars can be hacked. At that time, we had access to two Tesla cars and one Changan Uni-T for testing. For the Tesla Model 3 and Model X, only the Invalid-Setup-Complete POC was successful; all other POCs failed.
For the Changan Uni-T, almost all the vulnerabilities worked. Only six of the POCs had no impact. As shown in the video, Braktooth successfully disconnected the Bluetooth connection. Interestingly, the Bluetooth logo on the IVI screen still indicated everything was functioning normally, even though the connection had been severed.
If we had enough budget, we could rent cars for testing. But what if we're working with a limited budget and need to test the latest modern vehicles? One advantage of living in a big city is being surrounded by car dealerships, which provide the perfect opportunity for testing. This time, we found four cars affected by Braktooth. The first one is the NIO ET5, a popular Chinese brand.
For the NIO ET5, Braktooth immediately disconnects the Bluetooth connection.
Next, we tested the Volkswagen ID4X. Compared to other Android-based IVI systems, the ID4X seems less user-friendly and harder to navigate.
Again once we fired the attack, the Bluetooth connection disconnected.
Finally, we tested a new car brand in the Chinese market called ARCFOX aS. As shown in the video, the music started behaving strangely once we launched the attack.
A unique aspect of this brand is that one of its car models uses Huawei's HarmonyOS as the IVI system. However, when it comes to low-level Bluetooth attacks, Huawei's HarmonyOS offers no additional protection.
Another great location for testing is a car exhibition. The advantage of an exhibition is that we might have the opportunity to test some high-end sports cars that we wouldn’t normally have access to. So Watch out, Hackers are at work ;) Here, we tested the Leapmotor C01 and BMW THE 5, THE 7.
Both the BMW 5 Series and the 7 Series are affected by the Braktooth attack.
FINAL-FHOUGHT
As security researchers, we strive to follow the responsible disclosure procedure. Unfortunately, unlike many internet companies, most car manufacturers are still behind the curve. They often lack a bounty program and do not provide clear contact information for reporting bugs. As a result, we have submitted our reports to their customer service departments, hoping that someone will address them. However, we did receive feedback from both Tesla and NIO. Both companies have established bug bounty programs and responded very quickly to our reports. Nonetheless, NIO and Tesla informed us that the reported bug falls outside their scope.
REFERENCES
https://asset-group.github.io/disclosures/braktooth/
https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks
https://naehrdine.blogspot.com/2021/09/hunting-ghosts-in-bluetooth-firmware.html