Vulnerabilities in a very popular Bluetooth system-on-a-chip (SoC) can be used to indirectly compromise smartphones, researchers at Germany's Enno Rey Netzwerke (ERNW) have found.
Devices supporting Bluetooth Classic and Bluetooth Low Energy connections could be attacked if they're within physical proximity, the ERNW researchers said.
They discovered vulnerabilities that could be used to silently connect to headphones, and turn on their microphones, which attackers then could eavesdrop on.
Furthermore, the vulnerabilities would expose the Remote Access Control Engine (RACE) protocol used in Airoha chips for firmware updates and diagnostics.
With RACE protocol access, attackers can dump the permanent flash memory of headphones and extract the digital link key for setting up Bluetooth connections.
This, in turn, would allow the attackers to interact with the phone which assumes it is connecting to a paired, trusted Bluetooth peripheral device.
The ERNW researchers could trigger voice assistants this way, like Apple Siri and Hey Google, to send text, make calls and perform other actions on phones along with data exfiltration.
It was also possible to abuse the Hands-free Protocol feature to make calls and/or eavesdrop on them
As the Airoha SoC is commonly used by device manufacturers, a large range of earbuds and headphones from big name brands such as Sony and JBL were tested by the researchers and found to be vulnerable.
Apple makes its own Bluetooth SoC for the AirPods range of listening devices, and doesn't use Airoha's chip.
The full disclosure [pdf] follows a partial vulnerability report released by ERNW in June last year.
Airoha, the maker of the chip, was notified by the researchers and has issued an updated software development kit for its vendor customers that mitigates the vulnerabilities.
ERNW researchers Dennis Heinze and Frieder Steinmetz said if possible, end users should update their devices to mitigate the issue.
Removing old, unused paired Bluetooth devices is also recommended to lessen the risk of the Bluetooth link key potentially being stolen.
Finally, high-value surveillance targets such as journalists, diplomats and politicians are advised by the ERNW researchers to use wired headphones rather than Bluetooth ones, to be safe from attacks.
Users can download and run the researchers' RACE Toolkit to examine their devices, from GitHub.
_(20).jpg&h=140&w=231&c=1&s=0)
_(22).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
