BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

[mendesgeo]

Dear, all

Espressif has made available a patch for a BrakTooth Vulnerability which can trigger arbitrary code execution on ESP32 via
Bluetooth Classic (BR/EDR) for those using Espressif dual mode stack or HCI-UART mode with a third-party stack.
BrakTooth disclosure: https://asset-group.github.io/disclosures/braktooth/

ESP-IDF commit with the patch: https://github.com/espressif/esp-idf/tr ... 598d9fc172
Advisory from Espressif: https://www.espressif.com/sites/default ... visory.pdf

Video of the attack: https://www.youtube.com/watch?v=F7VjuOiUsNk

[WiFive]

Thanks for info.

This is also nice:

As part of our work of reverse engineering ESP32 BT stack, we are releasing to the community a low-cost BT Classic (BR/EDR) Active Sniffer which is available at the following URL:

https://github.com/Matheus-Garbelini/es ... ic_sniffer

[jki131]

Is there any information how sniffer work? There is no source code for esp32 firmware in gtihub repo.

[mendesgeo]

Is there any information how sniffer work? There is no source code for esp32 firmware in gtihub repo.

Yes. Check again the repo. It was just updated.

[andyn_ff]

Thanks for posting the link to the advisory from Espressif. This was the only place I could actually find it.

Do you know how these get published by Espressif? Is there some list I can subscribe to to be alerted when one of these advisories is posted? I can't see if in their website's news section.

[axellin]

Subscribe the "Advisories" via https://www.espressif.com/en/subscribe