BrakTooth Bluetooth Vulnerabilities Give Rise to an Ultra-Low-Cost ESP32-Based Bluetooth Sniffer

Security researcher Matheus Eduardo Garbelini, best known as part of the team responsible for disclosing the SweynTooth family of Bluetooth vulnerabilities, has published a design for an ultra-low-cost Bluetooth Classic sniffer based on an Espressif ESP32 — as his team discloses yet another family of vulnerabilities.

Released by Garbelini as part of the disclosure of BrakTooth, a family of 16 security vulnerabilities affecting Bluetooth Classic hardware from a variety of vendors including Espressif, Intel, Texas Instruments, and Qualcomm, the unnamed sniffing device is claimed to be "the cheapest BR/EDR active sniffer" around — running on an ESP32 board costing as little as $4.

As well as being able to sniff Bluetooth traffic when installed as part of the piconet, capturing baseband, FHS, and LMP frames, the tool is capable of injecting packets too — a key part of the team's proof-of-concept for BrakTooth attacks, which can result in anything from a crash or reset all the way up to arbitrary code execution.

This feature, however, isn't yet publicly available. "The sniffer cannot be used to inject packets at the moment due to the PoC [Proof of Concept] embargo," the team explains. "The embargo will be lifted at the end of October 2021 and our full PoC tool will be made available to the public for research and reproduction."

Firmware for the sniffer is available on Garbelini's GitHub repository, while full details on the parts affected by the BrakTooth vulnerabilities — and the status of patches to close the holes — can be found on the disclosure page.