Bleedingbit vulnerabilities put Wi-Fi access points at risk
Armis researchers discovered two chip-level Bluetooth vulnerabilities -- dubbed Bleedingbit -- that could allow pseudo-remote code execution on wireless access points.
Security researchers disclosed two vulnerabilities in Bluetooth chips that put wireless access points, medical devices and more at risk of attack.
Researchers at Armis, an enterprise IoT security company based in Palo Alto, Calif., discovered two vulnerabilities in Bluetooth Low Energy (BLE) chips manufactured by Texas Instruments and have branded the flaws as Bleedingbit. Armis said the chips have been embedded in a variety of devices -- most prominently Wi-Fi access points from Cisco, Cisco Meraki and Aruba Networks.
"The Bleedingbit vulnerabilities endanger enterprises using vulnerable access points in their networks. Beyond access points, the health sector is potentially affected by these vulnerabilities, as the affected BLE chips are used in many medical devices, such as insulin pumps and pacemakers," Armis researchers wrote in a blog post. "Even private users might be affected by the vulnerabilities if they use an IoT device which embeds one of the vulnerable chips. Armis is still in the midst of evaluating the full effects of Bleedingbit on devices serving multiple sectors."
One of the Bleedingbit flaws (CVE-2018-16986) allows an attacker to run malicious code on a vulnerable device by sending a series of packets, which triggers an overflow -- or bleed -- of memory. The second flaw (CVE-2018-7080), which is specific to the Aruba 300 Series access points, can allow an attacker to load a custom version of the device firmware.
Shay Nahari, head of Red-Team services at CyberArk, based in Newton, Mass., noted that even though the Bleedingbit vulnerabilities are considered remote, "they still require physical proximity to be exploited in order to communicate with the Bluetooth chip on the device."
"These flaws are dangerous due to the fact that can be used by attackers to gain initial access into corporate environments and as a means of stealthy persistence once access is gained," Nahari wrote via email. "At the moment, they are extremely difficult to detect and exterminate without specific knowledge of the attack."
Bluetooth would need to be turned on in the target device. And Ben Seri, vice president of research at Armis, said there can be many reasons why an organization would have Bluetooth enabled.
"BLE is used for various innovative applications in access points: Retails use them to track clients in shopping malls and to supply indoor navigation systems; hospitals use them for tracking valuable assets -- by attaching BLE beacons to medical equipment and tracking their location from the access points; and it can be used to collect data on the various IoT devices in the vicinity of the access point, as well," Seri wrote via email. "Some vendors also use BLE to enable cable-free setup process of the access point itself -- which comes in handy when the AP is hooked up to the ceiling."
Armis claimed in its analysis that the Bleedingbit vulnerabilities are "contagious by their nature, allowing the attack to spread to any device in the vicinity of the initial breach."
"Attacks such as Bleedingbit, which target these devices, can effectively bypass network segmentation," Armis wrote. "Once attackers control the network devices, they gain simultaneous access to all network segments and can even eliminate segmentation altogether, proving enterprises cannot depend on network segmentation alone."
However, Travis Biehn, technical strategist and research lead at Synopsys, based in Mountain View, Calif., said he was unsure how difficult it would be for an attacker to get the kind of access described by Armis.
"I'm concerned about the technical details about how you'd pivot from the BLE microcontroller to the microcontroller controlling the executive router functions. This will be arbitrary for each affected device," Biehn wrote via email. "Intrinsically, the TI chips seem to have vulnerabilities that give attackers the ability to compromise their runtime on those TI chips. An attacker needs to identify another vulnerability between the TI chip and the main access point microcontroller to achieve the level of access described by these security researchers."
Seri said Texas Instruments has patched its software development kit against Bleedingbit, and "manufacturers that use the affected chips should upgrade their firmwares to the latest SDK." Additionally, Cisco, Meraki and Aruba have released patches, as well.
Nahari said, despite these patches, the real danger may be with other embedded devices.
"It is important to note that while the researchers focused on these access points, the underlying issue actually lies in the BLE chip, which may be installed in other embedded devices, as well," Nahari said. "Mitigating the risk by patching is extremely difficult, since, in many cases, there are no agents installed on these devices and the routers often sit at demilitarized zone or in segmented networks, making it a burden to patch."