Wireless access points from multiple vendors are potentially at risk thanks to a set of new Bluetooth flaws known as Bleedingbit.
Bleedingbit was publicly announced by IoT security firm Armis on Nov. 1; it impacts Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) that are used in Cisco, Meraki and Aruba wireless access points. According to Armis, the impacted vendors were all contacted in advance of the disclosure so that patches could be made available.
The Bleedingbit vulnerabilities include a memory corruption issue that impacts TI BLE chips (cc2640, cc2650 and cc2640r2). Another Bleedingbit issue is a backdoor within the over-the-air firmware download (OAD) capability on the TI BLE chip (cc2540). Armis warned that the issues could have potentially enabled an attacker to gain unauthorized access to an enterprise network.
Bluetooth is a local protocol that only works within a limited physical range. Ben Seri, head of research at Armis, commented that BLE has a nominal range of 100 meters and if the attacker adds a directional antenna, the range can be doubled or even tripled.
“The attacker only needs to be within this range for the initial attack,” Seri told eWEEK. “After an AP has been compromised, the attacker can create an outbound connection, over the internet to a C&C [command and control] server, and the attacker can walk away.”
Seri said that both Bleedingbit vulnerabilities were found by a combination of static analysis and dynamic fuzzing. He added that there are now quite a few tools for dynamic fuzzing of BLE: Basic gatttool fuzzing, Ubertooth hacking, BLE-Replay and other tools to conduct man-in-the-middle (MiTM) attacks.
The OAD feature is something that Armis views as being a backdoor that shouldn’t have been present. Seri explained that the OAD feature, by default, does not have any framework for validating authenticity of a firmware upgrade.
Seri emphasized that OAD is on the firmware of the BLE chip and not of the main system of the access point. He added that the firmware upgrades of the main system are signed and protected.
“Nevertheless, once an attacker compromises the BLE chip of an Aruba AP, he can then get access to the console connection of that AP, and through it, he can target the main system as well,” Seri said. “TI does provide guidelines for secure OAD, and those need to be implemented by manufacturers if they choose to use this feature in production.”
Network Segmentation Corruption
One of the risks that Bleedingbit represents is that it can potentially enable an attacker to modify network segmentation rules that might be in place on an AP. Seri explained that an access point, by design, can serve WiFi for different networks including different SSID, VLAN and subnets.
“So once an attacker compromises an access point—via Bleedingbit, for example—the attacker can leverage the inherent power an access point has over these various segments of the networks,” Seri said. “He may move freely between these segments, and he can also can create a bridge within the compromised AP that will allow devices within these segments to communicate directly between them.”
Seri added that Bleedingbit can eliminate the walls built by network segmentation to prevent unmanaged devices from reaching critical assets within corporate networks.
The Bleedingbit vulnerabilities are not the first time Armis has reported Bluetooth-related security vulnerabilities. In September 2017, Armis reported the BlueBorne vulnerabilities, a set of eight flaws that impact the Bluetooth stacks used on both Windows and Linux systems.
Seri said that both BlueBorne and Bleedingbit are airborne attack vectors that can be exploited remotely via the air, unlike most attacks conducted through the internet. He added that airborne attacks allow an unauthenticated perpetrator to penetrate a secure network of which they are not a member.
Airborne attacks are beneficial to attackers for several reasons, according to Seri. First, they allow them to operate virtually undetected, as traditional security measures cannot detect them. Second, they are contagious by their nature, allowing the attack to spread to any device in the vicinity of the initial breach.
“Both also show that new protocols or expanded use of these wireless protocols increase risks and the expanded attack landscape,” he said.
At this point, it’s not entirely clear what, if any, impact the Bleedingbit flaw has had to date on vulnerable devices.
“We have no information that Bleedingbit has been used in the wild,” Seri said. “Of course, if it had, legacy security solutions would not have been able to see such a compromise.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.