RESEARCH // BLEEDINGBIT

BLEEDINGBIT

Exposes enterprise access points and unmanaged devices to undetectable chip level attack.

Bleeding-Bit-hero-min

General Overview

Armis has identified two chip-level vulnerabilities impacting access points and potentially other unmanaged devices. Dubbed “BLEEDINGBIT,” they are two critical vulnerabilities related to the use of BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI). The chips are embedded in, among other devices, certain access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki and Aruba. These are the leaders in networking, and accounting for nearly 70% of the market. Armis research focused on these network devices. These proximity-based vulnerabilities allow an unauthenticated attacker to break into enterprise networks undetected. Once an attacker takes control over an access point, he can move laterally between network segments, and create a bridge between them — effectively breaking network segmentation. Armis has reported the issues to TI and the affected vendors above. We are also working with additional vendors of various connected devices to ascertain whether they, too, are affected by the BLEEDINGBIT vulnerabilities.

Why It Matters

Both vulnerabilities identified by Armis relate to the use BLE chips, which are gaining ground with an increasing amount of applications across industries. The relatively new BLE protocol is based on the established Bluetooth protocol, but goes much further by creating closely knit networks and enabling many of the novel uses of IoT devices. Besides being used in networking devices such as access points, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts. Retailers use BLE for point of sales devices, as well as indoor navigation applications. BLE is also used in new smart locks used by hotel chains, offices, and smart homes; even in cars.

BLE chips provide new features, but also introduce new risks that expand the attack surface. This is especially true in the case of network devices, such as access points which distribute Wi-Fi on an enterprise scale, and incorporate BLE chips to allow new functionalities. In doing so, they become susceptible to a new range of chip-based vulnerabilities, endangering the integrity of the networks they serve. It is important to note that access points were already affected by over-the-air vulnerabilities in their embedded Wi-Fi chips which, unlike the BLE chips, have already been thoroughly vetted, making them less prone to such vulnerabilities. Although the vulnerabilities identified in this report require the BLE chip to be on, they provide a new attack surface.

Armis continues to gauge the full reach of the vulnerabilities.

The Unmanaged Device Challenge

The BLEEDINGBIT vulnerabilities shed light on two major unaddressed issues in cybersecurity: the poorly secured networking infrastructure devices, and the embedding and use of hardware and software developed by 3rd party vendors in products.

Network Devices Are Unmanaged Devices

Network devices are a unique phenomenon in today’s cyber landscape. Even though they handle all of the crucial information we wish to protect, they have little or no protections themselves, especially when compared to PCs and mobile devices. While PCs and mobile platforms have well founded operating systems (OSs) which include inherent mitigations, network devices have only a limited OS if any, with very little mitigations in place. This makes it much easier to exploit vulnerabilities found in them, while in PC and mobile such vulnerabilities are often unreachable and thus pose no real threat. Furthermore, while other platforms are protected by endpoint security measures forged by years of experience in the fight against cyber threats, network devices aren’t protected by such security measures. As a result, network devices are an extremely valuable prize for hackers, as they provide full access to the desired information, with very little defenses to defeat in the way.

The Need for Peripheral Vision

Another issue exposed by the vulnerabilities is the use of hardware and software developed by 3rd party vendors. Most vendors embed various chips which were not developed by them, and therefore have limited capabilities to control and vet them. By embedding these “blackboxes,” the vendors allow potential vulnerabilities to affect their devices, without their knowledge or providing adequate precautionary measures.

While chips serving Wi-Fi, BLE, or any other wireless protocol may seem peripheral, they too run code which can include vulnerabilities. When found, these vulnerabilities provide attackers with a bridgehead, from which they can easily spread to the main processor and take over the entire device. This is possible since the defenses between different components of the device is more lax than the external ones. In some cases, these chips may also be the main processor of the device, meaning that exploiting it would directly lead to full control over it.

Vendors might also misinterpret or misuse chips which were not developed by them, causing security issue such as the OAD BLEEDINGBIT vulnerability we identified.

An Unauthenticated and Undetected Attack

BLEEDINGBIT is the latest addition to the growing number of airborne threats, such as BlueBorneKRACK Attack, the Broadcom vulnerabilities and several others. As the BLEEDINGBIT vulnerabilities affect the BLE chips, responsible for wireless communication, they can be exploited remotely, via the air, unlike most attacks conducted through the Internet. This allows an unauthenticated perpetrator to penetrate a secure network of which he is not a member. Airborne attacks are beneficial to attackers for several reasons. First, they allow them to operate virtually undetected, as traditional security measures cannot detect them. Second, they are contagious by their nature, allowing the attack to spread to any device in the vicinity of the initial breach.

Network Segmentation Is At Risk in the IoT Age

Enterprises have long used network segmentation as a strategy to control access to important resources. Corporate-owned “trusted” computers are allowed onto the corporate network, using authentication protocols, and whitelisting devices like printers and few others. All other devices (BYOD and IoT) are placed on guest networks or separate VLANs. However, the segmentation itself relies upon unmanaged and loosely guarded network devices which implement it. Attacks such as BLEEDINGBIT, which target these devices can effectively bypass network segmentation. Once attackers control the network devices, they gain simultaneous access to all network segments and can even eliminate segmentation altogether, proving enterprises cannot depend on network segmentation alone.

Who’s At Risk?

First and foremost, the BLEEDINGBIT vulnerabilities endanger enterprises using vulnerable access points in their networks. Beyond access points, the health sector is potentially affected by these vulnerabilities, as the affected BLE chips are used in many medical devices, such as insulin pumps and pacemakers. Even private users might be affected by the vulnerabilities if they use an IoT device which embeds one of the vulnerable chips. Armis is still in the midst of evaluating the full effects of BLEEDINGBIT on devices serving multiple sectors.

Affected Devices

Devices affected by the RCE vulnerability (CVE-2018-16986)

The security vulnerability for CVE-2018-16986 is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning) in the following device/software combinations:

  • CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version; or
  • CC2650 with BLE-STACK version 2.2.1 or an earlier version; or
  • CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0); or
  • CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or an earlier version.

The TI chips following have been identified as not affected by this potential vulnerability:

  • Automotive Qualified CC2640R2F-Q1
  • CC2540/CC2541 devices on any BLE-STACK version
  • CC2640R2 SDK version 1.30.00.25 or greater or CC1352/CC26x2 on any supported SDK version
  • CC2640 or CC2650 on any supported BLE-STACK SDK version 2.2.2
  • Any device configuration that doesn’t perform BLE scanning (e.g., peripheral role or advertiser role)

Additional information is available at BLE STACK v2.2.2 .

Affected Access points:

  • Cisco APs (RCE vulnerability):
    • Cisco 1800i Aironet Access Points
    • Cisco 1810 Aironet Access Points
    • Cisco 1815i Aironet Access Points
    • Cisco 1815m Aironet Access Points
    • Cisco 1815w Aironet Access Points
    • Cisco 4800 Aironet Access Points
    • Cisco 1540 Aironet Series Outdoor Access Point
  • Meraki APs (RCE vulnerability):
    • Meraki MR30H AP
    • Meraki MR33 AP
    • Meraki MR42E AP
    • Meraki MR53E AP
    • Meraki MR74

The Cisco security advisory can be found here.

Devices affected by the RCE vulnerability (CVE-2018-7080)

The vulnerability for CVE-2018-7080 affects any of the following TI’s BLE chips provided the vendor choose to include the OAD feature in his device.

  • cc2642r
  • cc2640r2
  • cc2640
  • cc2650
  • cc2540
  • cc2541

Affected Access points:

  •  AP-3xx and IAP-3xx series access points
  • AP-203R
  • AP-203RP
  • ArubaOS 6.4.4.x prior to 6.4.4.20
  • ArubaOS 6.5.3.x prior to 6.5.3.9
  • ArubaOS 6.5.4.x prior to 6.5.4.9
  • ArubaOS 8.x prior to 8.2.2.2
  • ArubaOS 8.3.x prior to 8.3.0.4

The Aruba security advisory can be found here.

Aside from the devices listed above, we are not aware of networking equipment that is affected. However, the investigation is still in process, and we advise visiting the CERT/CC advisory page for the latest information.

Disclosure Process

Armis has contacted various vendors who might be affected, as well as the manufacturer of the vulnerable chips, and the CERT/CC to try and identify all potentially affected devices. We strongly advise all companies using on of the vulnerable chips in these devices to verify whether the BLEEDINGBIT vulnerabilities affect them, and invite them to contact us at [email protected] and use our pgp key to send an encrypted report, so we can assist in the process.

BLEEDINGBIT RCE vulnerability (CVE-2018-16986)

Armis contacted Texas Instruments on June 20, 2018. Through our discussions, it was discovered that TI was familiar with the bug causing the vulnerability, and issued a fix in BLE-STACK 2.2.2. However, Armis identified it as a security issue. Once notified, the companies worked together to issue the appropriate updates to the patch, and coordinate the announcements. Cisco was notified on July 24, 2018 of the issue.

BLEEDINGBIT OAD RCE vulnerability (CVE-2018-7080)

Armis also contacted TI about the OAD vulnerability. TI indicated that the OAD feature should not be used by vendors in the production of devices in the first place. On July 9, Armis reported the issue to Aruba, which used the feature in access points it manufactured.

Technical Overview

How do the BLEEDINGBIT vulnerabilities work?

BLEEDINGBIT RCE vulnerability (CVE-2018-16986)

The first BLEEDINGBIT RCE (Remote Code Execution) vulnerability resides in a TI chip embedded in many devices. Our research focused on access points. The vulnerability can be exploited by an attacker in the vicinity of the affected device, provided its BLE is turned on, without any other prerequisites or knowledge about the device. First, the attacker sends multiple benign BLE broadcast messages, called “advertising packets,” which will be stored on the memory of the vulnerable BLE chip in targeted device. While the packets are not harmful, they contain code that will be invoked by the attacker later on. This activity will be undetected by traditional security solutions.

Next, the attacker sends the overflow packet, which is a standard advertising packet with a subtle alteration – a specific bit in its header turned ON instead of off. This bit causes the chip to allocate the information from the packet a much larger space than it really needs, triggering an overflow of critical memory in the process. The leaked memory contains function pointers – memory that points to specific code segments, which the attacker can leverage to point to the code s/he sent to the vulnerable chip in the previous stage of the attack.

At this point, the attacker can run malicious code on the targeted device, and install a backdoor on the vulnerable chip, which will await further commands transmitted over BLE. The attacker can also change the behavior of the BLE chip and attack the main processor of the device, gaining full control over it. In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation. Furthermore, the attacker can use the device in his control to spread laterally to any other device in its vicinity, launching a truly airborne attack.

Here is an example of a takeover of a BLE chip on a Cisco Access Point 1815w using a TI cc2640 BLE chip.

BLEEDINGBIT OAD RCE vulnerability (CVE-2018-7080)

The second BLEEDINGBIT vulnerability was specific to the Aruba Access Point Series 300, and its use of the OAD (Over the Air firmware Download) feature from TI. This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the BLE chip, if not implemented correctly by the manufacturer.

By default, the OAD feature is not automatically configured to address secure firmware updates. It allows a simple update mechanism of the firmware running on the BLE chip over a GATT transaction. In the case of Aruba’s access points, a hardcoded password was added (that is identical across all Aruba APs that support BLE) to prevent the OAD feature of being easily abused by attackers.

However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code, effectively allowing a completely rewrite its operating system, thereby gaining full control over it. From this point, the malicious potential is identical to that achieved by the first vulnerability.

Here is an example of a takeover of an Aruba Access Point 325 using a TI cc2540 BLE chip.

Securing against BLEEDINGBIT

For CVE-2018-16986, the TI BLE-STACK update has been released and is publically available to customers here.

  • For customers using CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or earlier: update to version 2.2.2.
  • For customers using CC2640R2F, with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0): update to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.
  • For customers using CC1350, with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or earlier: update to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.

Customers using these devices, software and scanning mode combinations should determine whether their application is affected based on how it is being used, and whether software updates are possible within their end application. The level of action needed will likely vary depending on the use-case of each end-product.

For TI Customer Support, questions on this issue should be directed to contact points for technical support for the BLE-STACK here.

For CVE-2018-7080, it is recommended you ensure the OAD functionality is not active in live, production environments without the proper security addressed.

Additional updates on proper use of the OAD feature from TI can be found here.

Vulnerabilities which allow attackers to spread over the air between devices pose a tremendous threat to any organization or individual. Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections.

New solutions are needed to address the new airborne attack vector, especially those that make air gapping and network segmentation irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited. This is the primary mission of Armis in this new connected device age.