Two critical vulnerabilities related to the use of Texas Instruments Bluetooth Low-Energy chips embedded in Cisco, Meraki and Aruba access points impact business networks
PALO ALTO, Calif., Nov. 1, 2018 — Armis, the enterprise IoT security company, today announced the discovery of two critical vulnerabilities related to the use of Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI), and used in Cisco, Meraki and Aruba wireless access points, called “BLEEDINGBIT.” If exploited, they allow an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. Neither of the vulnerabilities can be detected or stopped by traditional network and endpoint security solutions.
Enterprise Networks Impacted
The first BLEEDINGBIT vulnerability impacts the TI BLE chips (cc2640, cc2650) embedded in Cisco and Meraki Wi-Fi access points. If exploited, the proximity-based vulnerability triggers a memory corruption in the BLE stack, which could allow attackers to compromise the main system of the access point – thereby gaining full control over it.
The second issue impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540) and specifically its use of TI’s over-the-air firmware download (OAD) feature. This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the BLE chip, if not implemented correctly by the manufacturer. In default configurations, the OAD feature doesn’t automatically offer a security mechanism that differentiates a “good” or trusted firmware update from a potentially malicious update. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks.
TI has already released software updates that address the first vulnerability. Cisco, Meraki, and Aruba are expected to have patches available by November 1. Armis is still in the process of assessing the full reach of the BLEEDINGBIT vulnerabilities — beyond the threat they pose on network infrastructure devices — and is working with CERT Coordination Center (CERT/CC) and various vendors to validate that appropriate patches are provided to every affected product.
“BLEEDINGBIT is a wakeup call to enterprise security for two reasons,” said Armis CEO Yevgeny Dibrov. “First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”
More Industries and Devices May Be Affected
While Armis found the vulnerabilities in Wi-Fi access points, they may manifest in other types of devices and equipment used in a variety of industries as well.
“In this instance, we have clearly identified how BLEEDINGBIT impacts network devices,” said Ben Seri, VP of Research at Armis. “But this exposure potentially goes beyond access points, as these chips are used in many other types of devices and equipment. They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.”
How to Protect Yourself
To protect themselves, organizations with Cisco, Meraki, and Aruba access points should check for the latest updates. Manufacturers using these chips should upgrade to the latest BLE-STACK from TI.
Impacted Chips and Remediation
The first security vulnerability is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning) in the following device/software combinations and can be remediated as follows:
- For CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or an earlier version are impacted, customers can update to version 2.2.2.
- For CC2640R2F, version 1.00.00.22 (BLE-STACK 3.0.0) is impacted, customers can update to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.
- For CC1350, version 2.20.00.38 (BLE-STACK 2.3.3) or earlier is impacted, customers can update to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.
Additional updates on proper use of the OAD feature can be found here.
The BLEEDINGBIT vulnerabilities are the latest issues that illustrate new attack vectors targeting unmanaged and unprotected devices. Last year, Armis discovered BlueBorne, a set of nine zero-day Bluetooth-related vulnerabilities in Android, Windows, Linux and iOS that affected billions of devices, including smartphones, TVs, laptops, watches, and automobile audio systems.
For a full report on BLEEDINGBIT, please visit https://armis.com/bleedingbit.
Armis is the first agentless, enterprise-class security platform to address the new threat landscape of unmanaged and IoT devices. Fortune 1000 companies trust our unique out-of-band sensing technology to discover and analyze all managed, unmanaged, and IoT devices—from traditional devices like laptops and smartphones to new unmanaged smart devices like smart TVs, webcams, printers, HVAC systems, industrial robots, medical devices and more. Armis discovers devices on and off the network, continuously analyzes endpoint behavior to identify risks and attacks, and protects critical information and systems by identifying suspicious or malicious devices and quarantining them. Armis is a privately held company and headquartered in Palo Alto, California. Follow us on Twitter, LinkedIn and Facebook.
About Bain Capital Ventures
Bain Capital Ventures partners with disruptive founders to accelerate their ideas to market. The firm invests from seed to growth in startups driving transformation across industries, from security and cloud infrastructure to logistics and e-commerce to finance and healthcare. The firm has helped launch and commercialize more than 240 companies, including DocuSign, Jet.com, Kiva Systems, Lime, LinkedIn, Rapid7, Redis Labs, Rent the Runway, Rubrik, SendGrid and SurveyMonkey. Bain Capital Ventures has $5.2 billion in assets under management with offices in San Francisco, New York, Boston and Palo Alto. Follow the firm via LinkedIn and Twitter.