Two critical chip-level vulnerabilities discovered

The first BLEEDINGBIT vulnerability impacts the TI BLE chips (cc2640, cc2650) embedded in Cisco and Meraki Wi-Fi access points. The proximity-based vulnerability triggers a memory corruption in the BLE stack, which could allow attackers to compromise the main system of the access point – thereby gaining full control over it.

The second issue impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540) and specifically its use of TI’s over-the-air firmware download (OAD) feature. This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the BLE chip, if not implemented correctly by the manufacturer. In default configurations, the OAD feature doesn’t automatically offer a security mechanism that differentiates a “good” or trusted firmware update from a potentially malicious update. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks.

Armis is still in the process of assessing the full reach of the BLEEDINGBIT vulnerabilities — beyond the threat they pose on network infrastructure devices — and is working with CERT Coordination Center (CERT/CC) and various vendors to validate that appropriate patches are provided to every affected product.

“BLEEDINGBIT is a wakeup call to enterprise security for two reasons,” said Armis CEO Yevgeny Dibrov. “First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”

While Armis found the vulnerabilities in Wi-Fi access points, they may manifest in in other types of devices and equipment used in a variety of industries as well.

“In this instance, we have clearly identified how BLEEDINGBIT impacts network devices,” said Ben Seri, VP of Research at Armis. “But this exposure potentially goes beyond access points, as these chips are used in many other types of devices and equipment. They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.”

To protect themselves, Armis recommends that organisations with Cisco, Meraki, and Aruba access points should check for the latest updates. Manufacturers using these chips should upgrade to the latest BLE-STACK from TI.