Does your organization utilize Cisco, Meraki, or Aruba wireless access points? If so, your device and confidential information may be at risk. Researchers at the security firm Armis recently announced that they have found two critical vulnerabilities in Bluetooth Low Energy (BLE) chips manufactured by Texas Instruments. BLE chips are mainly used in enterprise wireless access points from Cisco, Meraki, and Aruba; however, they can also be found in some point-of-sale and IoT devices. According to Armis, these networking industry leaders account for 70% of the wireless access points sold to enterprises every year.
These vulnerabilities, dubbed “BleedingBit,” have the potential to expose organizations to remote code execution attacks from attackers within Bluetooth range (typically within 200-300 feet of the device), allowing unauthenticated attackers to take complete control of impacted devices and gain access to the enterprise networks hosting them.
The vulnerabilities pertaining to the use of BLE chips come in two variants. The first is a remote code execution (RCE) vulnerability (CVE-2018-16986), which applies to two specific chip models used in access points made by Cisco and Meraki. The second vulnerability (CVE-2018-7080) is limited to the Aruba Access Point Series 300 and can only be exploited if the device has the over-the-air firmware download feature enabled.
At a high level, the first vulnerability involves a buffer overflow. This is caused by reversing the highest bit in a Bluetooth packet that will cause its memory to overflow or “bleed,” enabling an attacker to run malicious code. The second vulnerability does not verify if the update being processed should be trusted or not, therefore allowing a potential attacker to install malicious firmware on Aruba’s Access Point Series 300.
An in-depth analysis of the first vulnerability shows that it is a two-stage attack. In the first stage, the attacker sends out advertising packets that will be saved on the memory of the BLE chip. These packets are not malicious but contain code that will later be used by the attacker. This attack has to be conducted from within a range of 200-300 feet from the device and cannot be initiated over the Internet.
During the second stage, the attacker sends overflow packets. They are the same advertising packets sent in stage one, but with one subtle alteration: one specific bit is turned on instead of off, causing the chip to allocate a much larger space than required, triggering an overflow. This leaked memory contains a function that points to specific code segments, aiding the attacker in locating the code that was previously sent to the chip in the first stage. The attacker is now able to run malicious code on the targeted device and install a backdoor.
Additionally, the attacker is able to overtake the main processor, gaining full control over the device. Once the attacker gains full control, he can reach all networks hosted by the access point, despite any network segmentation. The attacker can then use the now-controlled device to maneuver laterally to other devices in its region, launching a truly airborne attack. Although the first vulnerability is present in several Meraki and Cisco Access Points, exploitation is only possible while the device is actively scanning.
The second vulnerability allows a potential attacker to gain full control of a device by delivering a malicious update to the targeted access point and rewriting its operating system. As with the first vulnerability, this attack has to be conducted from within a range of 200-300 feet from the device and cannot be initiated over the Internet. Once the access point has been compromised, the attacker can create an outbound connection and no longer needs to stay within a certain range; this attack can be carried out in less than two minutes.
Financial Institution Implications
While any organization that deploys Cisco, Meraki, or Aruba wireless access points should be concerned, financial institutions that implement such access points should be especially alert. Stolen confidential information and ultimately being held hostage are risks for an organization if an attacker gained access to a company’s access points.
How to Handle BleedingBit
We are now aware of these vulnerabilities, what specific devices they affect, and what state the devices must be for exploitation to be possible. Texas Instruments, the company that manufactures these BLE chips, addressed the first vulnerability with the release of BLE-STACK version 2.2.2.
It’s also important to note that Bluetooth is disabled on these wireless access points by default and should remain disabled unless absolutely necessary for business purposes.
Additionally, Texas Instruments recommends disabling the over-the-air update feature of these wireless access points in production environments, despite patches that were released for affected products by Cisco and Aruba.
Although it seems that Texas Instruments was able to resolve most of the security concerns pertaining to access points, we must be aware that these kinds of issues go beyond access points, as the vulnerability is chip-based, not a vulnerability of the Bluetooth protocol itself. BLE chips are used in other types of devices and equipment as well, including insulin pumps and pacemakers. Other industries that could be affected include healthcare, automotive, retail, and more.
As we increasingly use new protocols such as BLE in more services and devices, it is important to account for the growing landscape of risk by implementing more preventative measures.
Written by: Daniel Sebit and Jon Waldman
SBS CyberSecurity, LLC
Regardless of what type of organization you are, you cannot protect your network and confidential information if you don’t know what you have in the first place. A standard Vulnerability Assessment can benefit any organization in five (5) ways:
- Identify and inventory your network-connected IT systems and assets
- Identify known vulnerabilities on your IT systems and assets that attackers can exploit to access your network or steal confidential information
- Determine the effectiveness of your patch management program
- Identify additional configuration or security weaknesses for your IT systems and assets, including default credentials being used, open ports or running services that should be disabled, unsupported devices or operating systems, etc.
- Provide you with a comprehensive, clear, and concise report that you and your organization can understand, from management to the technical folks that will remediate the issues discovered.
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.