November 5, 2018 at
Multiple Bluetooth Low-Energy Microcontrollers situated in Texas Instruments (TI) recently were discovered to have some critical remote code execution, which may have been compromised Wi-Fi access points from Cisco Meraki, Cisco Systems, and Aruba Networks. There are indications that the two bugs may have greater implication considering the fact that the threat may spread outside these network infrastructure devices.
These bugs known as Bleedingbit were discovered by researchers at Armis with the details of their findings published on November 1 in union with the CERT/CC at Carnegie Mellon University. The university also released its own security advisory. During this same period, those affected with these bugs began issuing updates that will patch the issue. However, at the beginner of this year, Texas Instruments addressed one of the bugs by providing the BLE-STACK update.
The Two Bugs discovered by Armis
Because the faults involve the over-the-air Bluetooth Low Energy Protocol, they can be exploited remotely through an airborne attack especially if the attacker is within the proximity of the targeted device. The first bug, CVE-2018-16986 was discovered in the four chip models embedded in five Meraki and seven Cisco access points. However, the second bug, CV-2018-7080 attacked multiple Aruba access points as well as its complete 300 series.
Generally, Aruba devices require the users to punch in a hardcoded password for an update to occur. Nevertheless, in a technical write-up by Armis indicated that,
“However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code, effectively allowing a completely rewrite its operating system, thereby gaining full control over it.”
Furthermore, in a press release delivered by the CEO of Armis Yevgeny Dibrov elaborated that the Bleedingbit is a wakeup call for the security of companies because of two reasons. According to him, the first is the fact that attackers can have access to a network without any warning or indication poses serious security concerns. Secondly, these vulnerabilities have the potential of breaking network segmentation. Network segmentation is normally the primary security method most company used in protecting themselves against unknown or dangerous unmanaged and IoT devices. The access point to this attack is the unmanaged device.
Finally, Armis warns that other devices, which may not have an access point, can also be affected. In its statements, the firm indicated, “In this instance, we have clearly identified how Bleedingbit impacts network devices,” said Armis VP of Research Ben Seri in the release. “But… these chips are used in many other types of devices and equipment. They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.”