Two flaws in the Bluetooth Low Energy chips used in major Wi-Fi Access Points could give attackers control of the wireless network.
PUBLISH DATE: 07-11-2018
Armis, an IoT security firm, has announced that a Remote Code Execution (RCE) or Denial of Service (DoS) vulnerability exists in the Bluetooth Low Energy (BLE) Stack on Texas Instruments (TI) chips CC2640 and CC2650. There are two vulnerabilities, existing due to a memory corruption condition that could occur when processing malformed BLE frames.
An attacker could exploit the vulnerability when he’s in close proximity to an affected device which is actively scanning. This could happen by broadcasting malformed BLE frames. If the exploit is successful, the attacker could execute arbitrary code or cause denial of service condition in an affected device.
Bluetooth Low Energy (BLE) chips made by Texas instruments contain vulnerabilities that could give the control of the wireless network over to an attacker. It affects multiple Wi-Fi access points and other devices.
The BLE chips manufactured by Texas Instruments are used in a major portion of the WiFi Access point (AP) market, including the access points made by Aruba, Cisco and Meraki. About 70% of the total AP enterprise comprises of Wi-Fi access points made by these vendors.
Two vulnerabilities now called “BleedingBits” have been pinpointed in TI CC2640/50 and TI cc2540/1 chips.
In CVE-2018-16986, the field that stores “advertising packets” sent by devices for detection gets overflowed. These packets are sent by the devices in the AP’s area to let the AP know that the device is there.
“It’s supposed to be six bits, but these chips look at two additional bits that are supposed to be zero,” Ben Seri, the vice president of research at Armis says, “If an attacker sends a number of well-formed advertising packets containing code, and then a malformed packet with a “one” in either of those two extra bit places, it results in a stack overflow that could allow execution of all that earlier-delivered code.”
The second vulnerability, CVE-2018-7080, can only affect Aruba access points, however with the ability to drop larger payloads in single step. In Aruba, there’s an over-the-air download (OAD) feature through BLE as a tool to be used in the development process. If that feature is left active in a production system, an attacker can obtain the hard-coded password and consequently may use the feature to completely rewrite the Access Point’s operating system.
The BLE radio used in Aruba’s affected APs contains a password-protected functionality that allows for over-the-air firmware updates. Unfortunately, an attacker with access to a software image (e.g. downloaded from the Aruba website), or with access to the AP hardware, could recover the password. With access to the password, an attacker can push malicious firmware updates to the BLE radio wirelessly.
Since BLE does not pose as a potential threat or attack vector, cyber analysts are concerned that it’s a total blind spot from an organization’s viewpoint. Whereas in reality, this BLE chip occupies a location within the systems that could be exploited as a strong point of entrance for an attacker.
The fact that lots and lots of IoT devices like smart watches and insulin pumps utilize this BLE chip further brings a concern that many devices can be taken control of, if an attacker succeeds at exploiting the chip.
Cisco Access Points
Cisco Aironet Access Points first supported the BLE feature in software release 8.7, which means an Access Point is only vulnerable if running software release 22.214.171.124 or 126.96.36.199.
Aruba’s Access Points: (vulnerable only if the BLE radio is enabled)
Other Aruba AP models not listed here do not contain a BLE radio and are not affected.
For the mitigation of these vulnerabilities, BLE radio needs to be disabled to ensure that the BLE chip vulnerabilities do not affect your access points.
For Aruba products, update to following patched versions.
If you think you’re the victim of a cyber-attack, immediately send an email to firstname.lastname@example.org for a quick response.