BLEEDINGBIT – Two Bluetooth Chip-level Vulnerabilities Affected Millions of Enterprise Wi-Fi Access Point Devices

Researcher’s discovered 2 critical Bluetooth vulnerabilities in BLE (Bluetooth Low Energy)  is named as ” BLEEDINGBIT ” affected millions of BLE embedded devices that allows an attacker to access enterprise network without authentication.

These serious vulnerabilities existing in the BLE which is made by Texas Instruments (TI) that embedded in access points to provide Wi-Fi to enterprise networks.

It was discovered in network devices that manufactured by Cisco, Meraki, and Aruba which is used in almost 70% of worldwide computer networks.

The Critical flaw gives very sensitive access to attackers who can able to breaking network segmentation once they take over the Wi-Fi access point.

Apart from the network devices that using BLE chips, it also affected IoT devices, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts, the point of sales devices, smart locks, hotel chain, cars where BLE Chip establish established Bluetooth protocol.

These vulnerabilities introduce the new attack surface to network devices, such as access points which distribute Wi-Fi on an enterprise scale.

Both vulnerabilities that related to BLE chips are Remote code execution vulnerabilities existing in TI chip that embedded in many devices.

These Vulnerable BIE Chips responsible for wireless communication, they can be exploited remotely, via the air and it allows an attacker to penetrate the vulnerable network.

How Do BLEEDINGBIT  Vulnerabilities works

Both vulnerabilities are working in different ways and both are mainly focusing on access point of the affected devices.

BLEEDINGBIT RCE Vulnerability (CVE-2018-16986)

Initially attackers exploit this vulnerability on nearby affected devices in order to turn on the BLE without any prior knowledge about the devices.

Later they send  BLE broadcast messages(advertising packets) that will be stored in the memory of the vulnerable BLE chip in a targeted device which is remain undetected by the security software.

Attackers keep sending the overflow packets that causes the chip to allocate the much larger space to triggering an overflow of critical memory in the process.

This process leaks the memory pointer which leads an attack to leverage the code sent to the vulnerable chip in the previous stage of the attack.

Finally, an attacker can be able to run malicious code on the targeted system and install a backdoor on the vulnerable chip.

CVE-2018-16986 – Affected Device

BLEEDINGBIT OAD RCE Vulnerability (CVE-2018-7080)

Second Vulnerability mainly affected the Aruba Access Point Series 300 that helps to use the OAD future in TI.

According to armis research, This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware .

“However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code”

CVE-2018-7080 -Affected Device

• cc2642r
• cc2640r2
• cc2640
• cc2650
• cc2540
• cc2541

You can find security advisory for the affected device fixes released by the Vendors Cisco & Aruba.

Also Read:

Critical BlueBorne Vulnerability Puts More Than 5 Billion Bluetooth Enabled Devices Under Attack

Critical BlueBorne Vulnerability Impacts Around 20 Million Google Home and Amazon Echo Devices

2 Billion Bluetooth Devices are Still Vulnerable to Dangerous BlueBorne Attack After 1 Year