Security researchers have found two severe vulnerabilities affecting several popular wireless access points, which — if exploited — could allow an attacker to compromise enterprise networks.
The two bugs are found in Bluetooth Low Energy chips built by Texas Instruments, which networking device makers — like Aruba, Cisco and Meraki — use in their line-up of enterprise wireless access points. Although the two bugs are distinctly different and target a range of models, the vulnerabilities can allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks.
Security company Armis calls the vulnerabilities “Bleeding Bit,” because the first bug involves flipping the highest bit in a Bluetooth packet that will cause its memory to overflow — or bleed — which an attacker can then use to run malicious code on an affected Cisco or Meraki hardware.
The second flaw allows an attacker to install a malicious firmware version on one of Aruba’s devices, because the software doesn’t properly check to see if it’s a trusted update or not.
Although the security researchers say the bugs allow remote code execution, the attacks are technically local — in that a would-be attacker can’t exploit the flaws over the internet and would have to be within Bluetooth range. In most cases, that’s about 100 meters or so — longer with a directional antenna — so anyone sitting outside an office building in their car could feasibly target an affected device.
“In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation,” Armis said in a technical write-up.
Ben Seri, vice president of research at Armis, said that the exploit process is “relatively straight forward.” Although the company isn’t releasing exploit code, Seri said that all an attacker needs is “any laptop or smartphone that has built-in Bluetooth in it.”
But he warned that the Bluetooth-based attack can be just one part of a wider exploit process.
“Once the attacker gains control over an access point through one of these vulnerabilities, he can establish an outbound connection over the internet to a command and control server he controls, and continue the attack from a more remote location,” he said. That would give an attacker persistence on the network, making it easier to conduct surveillance or steal data once the attackers drive away.
“Bleeding Bit” allows an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. (Image: Asrmis/supplied)
Armis doesn’t know how many devices are affected, but warned that the vulnerabilities are found in range of other devices with Bluetooth Low Energy chips.
“This exposure goes beyond access points, as these chips are used in many other types of devices and equipment,” said Seri. “They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more.”
Seri said that the vulnerabilities aren’t within the Bluetooth protocol, but with the manufacturer — in this case, the Bluetooth chip itself. As an open standard, device makers are largely left to decide for themselves how to implement the protocol. Critics have long argued that the Bluetooth specifications leave too much room for interpretation, and that can lead to security issues.
For its part, Texas Instruments confirmed the bugs and issued several patches, but attacked Armis’ findings, calling its report “factually unsubstantiated and potentially misleading,” said spokesperson Nicole Bernard.
After Armis privately disclosed the bugs in July, the three affected device makers have also released patches.
Aruba said it was “aware” of the vulnerability and warned customers in an advisory on October 18, but noted that its devices are only affected if a user enables Bluetooth — which Aruba says is disabled by default. Cisco, which also owns the Meraki brand, said some of its devices are vulnerable but they too have Bluetooth disabled by default. Fixes are already available and the company has a list of vulnerable devices noted in its support advisory. A Cisco spokesperson said that the company “isn’t aware” of anyone maliciously exploiting the vulnerability.
Carnegie Mellon University’s public vulnerability database, CERT, also has an advisory out for any other devices that might be affected.