Bleedingbit: Critical vulnerabilities in BLE chips expose millions of access points to attack

Armis today announced the discovery of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) and used in Cisco, Meraki and Aruba wireless access points, called Bleedingbit.

Bleedingbit

If exploited, they allow an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. Neither of the vulnerabilities can be detected or stopped by traditional network and endpoint security solutions.

Bleedingbit vulnerability impact

The first Bleedingbit vulnerability impacts the TI BLE chips (cc2640, cc2650) embedded in Cisco and Meraki Wi-Fi access points. If exploited, the vulnerability triggers a memory corruption in the BLE stack, which could allow attackers to compromise the main system of the access point – thereby gaining full control over it.

Bleedingbit

Bleedingbit issue #1

The second issue was discovered in TI’s over-the-air firmware download (OAD) feature used in Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540). This vulnerability is technically a backdoor in BLE chips that was designed as a development tool, but is active in some production access points. It allows an attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the device.

Bleedingbit

Bleedingbit issue #2

In default configurations, the OAD feature doesn’t automatically offer a security mechanism that differentiates a “good” or trusted firmware update from a potentially malicious update. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks.

“Bleedingbit is a wakeup call to enterprise security for two reasons,” said Armis CEO Yevgeny Dibrov. “First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”

Growing risk landscape

While Armis found the vulnerabilities in Wi-Fi access points, they exist in other types of devices and equipment used in a variety of industries as well.

“In this instance, we have clearly identified how Bleedingbit impacts network devices,” said Ben Seri, VP of Research at Armis. “But this exposure potentially goes beyond access points, as these chips are used in many other types of devices and equipment. They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.”

Bleedingbit

Other potentially affected systems

“These vulnerabilities add an interesting angle to the security of IoT devices and the technology that supports those devices. The security focus regarding BLE and its implementation has been on how to protect the security of the end device and in preventing Man In the Middle (MiTM) attacks. These vulnerabilities are a sharp reminder that we need to ensure the security of the infrastructure we employ to support IoT devices is not undermined by those IoT devices or the protocols that support them,” Brian Honan, CEO at BH Consulting, told Help Net Security.

Armis is still in the process of assessing the full reach of the Bleedingbit vulnerabilities – beyond the threat they pose on network infrastructure devices – and is working with CERT/CC and various vendors to validate that appropriate patches are provided to every affected product.

How to protect yourself

To protect themselves, organizations with Cisco, Meraki, and Aruba access points should check for the latest updates. Manufacturers using these chips should upgrade to the latest BLE-STACK from TI.

Cisco has identified a limited number of Aironet Access Points and Meraki Access Points that could potentially be affected by this third-party software issue – when certain conditions are met. An attack attempt would require adjacent proximity to the device, that the BLE feature be enabled, and for scanning mode to be enabled. Scanning is disabled by default for all of Cisco’s potentially affected products, and the BLE feature is disabled by default on the potentially affected Aironet devices.

Fixed software was published for all of Cisco’s affected products prior to Nov. 1. A PSIRT advisory was published at the time of the researcher’s disclosure today. Meraki also has published an advisory in the customer dashboard, and documentation is available to disable to involved settings.

“Cisco is aware of the third-party software vulnerability in the Bluetooth Low Energy (BLE) Stack on select chips that affects multiple vendors. When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco has identified a limited number of Aironet and Meraki Access Points which, under certain conditions, may be vulnerable to this issue. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. Fixed software is available for all affected Cisco products. Cisco is not aware of any malicious use of the vulnerability.” a Cisco spokesperson told Help Net Security.

Impacted chips and remediation

The first security vulnerability is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning) in the following device/software combinations and can be remediated as follows:

  • For CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or an earlier version are impacted, customers can update to version 2.2.2.
  • For CC2640R2F, version 1.00.00.22 (BLE-STACK 3.0.0) is impacted, customers can update to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.
  • For CC1350, version 2.20.00.38 (BLE-STACK 2.3.3) or earlier is impacted, customers can update to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.

Additional updates on proper use of the OAD feature can be found here.

The Bleedingbit vulnerabilities are the latest issues that illustrate new attack vectors targeting unmanaged and unprotected devices. Last year, Armis discovered BlueBorne, a set of nine zero-day Bluetooth-related vulnerabilities in Android, Windows, Linux and iOS that affected billions of devices, including smartphones, TVs, laptops, watches and automobile audio systems.

Don't miss