Vulnerabilities are a fact of life in technology. Most companies have professionals working for them who are skilled to find them before they are exploited. As good as many of them are, sometimes things get by and that’s where companies like Armis step in. The security firm has just discovered two new Bluetooth vulnerabilities dubbed BLEEDINGBIT.
BLEEDINGBIT effects Bluetooth Low Energy chips made by Texas Instruments and primarily used in Cisco, Meraki, and Aruba wireless access points. The vulnerabilities would allow an unauthenticated attacker to take over those access points. This would allow the attacker to spread malware through the network and “move laterally across network segments.” ARMIS says neither vulnerabilities in BLEEDINGBIT can be detected or stopped by traditional network and endpoint security options.
The first BLEEDINGBIT vulnerability impacts the TI BLE chips (cc2640, cc2650) embedded in Cisco and Meraki Wi-Fi access points. If exploited, the proximity-based vulnerability triggers a memory corruption in the BLE stack, which could allow attackers to compromise the main system of the access point – thereby gaining full control over it.
The second issue impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540) and specifically its use of TI’s over-the-air firmware download (OAD) feature. This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the BLE chip, if not implemented correctly by the manufacturer. In default configurations, the OAD feature doesn’t automatically offer a security mechanism that differentiates a “good” or trusted firmware update from a potentially malicious update. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks.
TI has already released software updates that address the first vulnerability. Cisco, Meraki, and Aruba are expected to have patches available by November 1. Armis is still in the process of assessing the full reach of the BLEEDINGBIT vulnerabilities — beyond the threat they pose on network infrastructure devices — and is working with CERT Coordination Center (CERT/CC) and various vendors to validate that appropriate patches are provided to every affected product.
“BLEEDINGBIT is a wakeup call to enterprise security for two reasons,” said Armis CEO Yevgeny Dibrov. “First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”
Armis says organizations with the affected hardware should first check for updates and manufactures of the affected hardware should upgrade to the latest BLE-STACK from Texas Instruments.
Impacted Chips and Remediation
The first security vulnerability is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning) in the following device/software combinations and can be remediated as follows:
- For CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or an earlier version are impacted, customers can update to version 2.2.2.
- For CC2640R2F, version 1.00.00.22 (BLE-STACK 3.0.0) is impacted, customers can update to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.
- For CC1350, version 2.20.00.38 (BLE-STACK 2.3.3) or earlier is impacted, customers can update to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.
You can read more about the vulnerabilities on Armis’s website found at the source link below.
Last Updated on February 3, 2021.