Armis Exposes Enterprise Access Points and Unmanaged Devices to Undetectable Chip Level Attack [BLEEDINGBIT]

Armis has identified two chip-level vulnerabilities impacting access points and potentially other unmanaged devices. Dubbed “BLEEDINGBIT,” they are two critical vulnerabilities related to the use of BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI). The chips are embedded in, among other devices, certain access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki and Aruba. These are the leaders in networking, and accounting for nearly 70% of the market. Armis research focused on these network devices. These proximity-based vulnerabilities allow an unauthenticated attacker to break into enterprise networks undetected. Once an attacker takes control over an access point, he can move laterally between network segments, and create a bridge between them — effectively breaking network segmentation. Armis has reported the issues to TI and the affected vendors above. We are also working with additional vendors of various connected devices to ascertain whether they, too, are affected by the BLEEDINGBIT vulnerabilities.

Both vulnerabilities identified by Armis relate to the use BLE chips, which are gaining ground with an increasing amount of applications across industries. The relatively new BLE protocol is based on the established Bluetooth protocol, but goes much further by creating closely knit networks and enabling many of the novel uses of IoT devices. Besides being used in networking devices such as access points, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts. Retailers use BLE for point of sales devices, as well as indoor navigation applications. BLE is also used in new smart locks used by hotel chains, offices, and smart homes; even in cars.

BLE chips provide new features, but also introduce new risks that expand the attack surface. This is especially true in the case of network devices, such as access points which distribute Wi-Fi on an enterprise scale, and incorporate BLE chips to allow new functionalities. In doing so, they become susceptible to a new range of chip-based vulnerabilities, endangering the integrity of the networks they serve. It is important to note that access points were already affected by over-the-air vulnerabilities in their embedded Wi-Fi chips which, unlike the BLE chips, have already been thoroughly vetted, making them less prone to such vulnerabilities. Although the vulnerabilities identified in this report require the BLE chip to be on, they provide a new attack surface.

Armis is still gauging the full reach of the vulnerabilities. We plan to release a full technical white-paper describing the vulnerabilities and their exploitation at the Black Hat Europe conference.

Affected Devices

Devices affected by the RCE vulnerability (CVE-2018-16986)

The security vulnerability for CVE-2018-16986 is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning) in the following device/software combinations:

• CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version; or
• CC2650 with BLE-STACK version 2.2.1 or an earlier version; or
• CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0); or
• CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or an earlier version.

The TI chips following have been identified as not affected by this potential vulnerability:

• Automotive Qualified CC2640R2F-Q1
• CC2540/CC2541 devices on any BLE-STACK version
• CC2640R2 SDK version 1.30.00.25 or greater or CC1352/CC26x2 on any supported SDK version
• CC2640 or CC2650 on any supported BLE-STACK SDK version 2.2.2
• Any device configuration that doesn’t perform BLE scanning (e.g., peripheral role or advertiser role)

Additional information is available at BLE STACK v2.2.2 .

Affected Access points:

• Cisco APs (RCE vulnerability):
  • Cisco 1800i Aironet Access Points
  • Cisco 1810 Aironet Access Points
  • Cisco 1815i Aironet Access Points
  • Cisco 1815m Aironet Access Points
  • Cisco 1815w Aironet Access Points
  • Cisco 4800 Aironet Access Points
  • Cisco 1540 Aironet Series Outdoor Access Point
• Meraki APs (RCE vulnerability):
  • Meraki MR30H AP
  • Meraki MR33 AP
  • Meraki MR42E AP
  • Meraki MR53E AP
  • Meraki MR74

The Cisco security advisory can be found here.

Devices affected by the RCE vulnerability (CVE-2018-7080)

The vulnerability for CVE-2018-7080 affects any of the following TI’s BLE chips provided the vendor choose to include the OAD feature in his device.

• cc2642r
• cc2640r2
• cc2640
• cc2650
• cc2540
• cc2541

Affected Access points:

• Aruba series 300 APs (OAD issue)

The Aruba security advisory can be found here.

Aside from the devices listed above, we are not aware of networking equipment that is affected. However, the investigation is still in process, and we advise visiting the CERT/CC advisory page for the latest information.

Read the full report here – https://armis.com/bleedingbit/