Bleedingbit: Critical Vulnerabilities in BLE Chips Expose Millions of Access Points to Attack

Armis today announced the discovery of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) and used in Cisco, Meraki and Aruba wireless access points, called Bleedingbit. If exploited, they allow an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread...

Armis today announced the discovery of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) and used in Cisco, Meraki and Aruba wireless access points, called Bleedingbit.

Bleedingbit

If exploited, they allow an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. Neither of the vulnerabilities can be detected or stopped by traditional network and endpoint security solutions.

Bleedingbit vulnerability impact

The first Bleedingbit vulnerability impacts the TI BLE chips (cc2640, cc2650) embedded in Cisco and Meraki Wi-Fi access points. If exploited, the vulnerability triggers a memory corruption in the BLE stack, which could allow attackers to compromise the main system of the access point – thereby gaining full control over it.

Bleedingbit
Bleedingbit issue #1

The second issue was discovered in TI’s over-the-air firmware download (OAD) feature used in Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540). This vulnerability is technically a backdoor in BLE chips that was designed as a development tool, but is active in some production access points. It allows an attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the device.

Bleedingbit
Bleedingbit issue #2

In default configurations, the OAD feature doesn’t automatically offer a security mechanism that differentiates a “good” or trusted firmware update from a potentially malicious update. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks.

“Bleedingbit is a wakeup call to enterprise security for two reasons,” said Armis CEO Yevgeny Dibrov. “First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”

Growing risk landscape

While Armis found the vulnerabilities in Wi-Fi access points, they exist in other types of devices and equipment used in a variety of industries as well.

“In this instance, we have clearly identified how Bleedingbit impacts network devices,” said Ben Seri, VP of Research at Armis. “But this exposure potentially goes beyond access points, as these chips are used in many other types of devices and equipment. They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.”

Bleedingbit
Other potentially affected systems

“These vulnerabilities add an interesting angle to the security of IoT devices and the technology that supports those devices. The security focus regarding BLE and its implementation has been on how to protect the security of the end device and in preventing Man In the Middle (MiTM) attacks. These vulnerabilities are a sharp reminder that we need to ensure the security of the infrastructure we employ to support IoT devices is not undermined by those IoT devices or the protocols that support them,” Brian Honan, CEO at BH Consulting, told Help Net Security.

How to protect yourself

To protect themselves, organizations with Cisco, Meraki, and Aruba access points should check for the latest updates. Manufacturers using these chips should upgrade to the latest BLE-STACK from TI.

Cisco, Meraki, and Aruba are expected to have patches available by November 1. Combined, the three affected vendors represent the majority of all wireless access points sold to enterprises each year. Armis is still in the process of assessing the full reach of the Bleedingbit vulnerabilities – beyond the threat they pose on network infrastructure devices – and is working with CERT/CC and various vendors to validate that appropriate patches are provided to every affected product.

Impacted chips and remediation

The first security vulnerability is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning) in the following device/software combinations and can be remediated as follows:

  • For CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or an earlier version are impacted, customers can update to version 2.2.2.
  • For CC2640R2F, version 1.00.00.22 (BLE-STACK 3.0.0) is impacted, customers can update to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.
  • For CC1350, version 2.20.00.38 (BLE-STACK 2.3.3) or earlier is impacted, customers can update to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.

Additional updates on proper use of the OAD feature can be found here.

The Bleedingbit vulnerabilities are the latest issues that illustrate new attack vectors targeting unmanaged and unprotected devices. Last year, Armis discovered BlueBorne, a set of nine zero-day Bluetooth-related vulnerabilities in Android, Windows, Linux and iOS that affected billions of devices, including smartphones, TVs, laptops, watches and automobile audio systems.

Source: www.helpnetsecurity.com