Researchers at the security company Armis have identified two chip-level vulnerabilities, dubbed Bleedingbit, in Bluetooth Low Energy (BLE) chips manufactured by Texas Instruments. These chips are used in Wi-Fi devices made by Cisco, Meraki, and Aruba. According to Armis, those three companies account for almost 70 percent of the total enterprise network.

BLE is a relatively new protocol that has gained increased use recently. “BLE chips provide new features, but also introduce new risks that expand the attack surface. This is especially true in the case of network devices, such as access points which distribute Wi-Fi on an enterprise scale, and incorporate BLE chips to allow new functionalities. In doing so, they become susceptible to a new range of chip-based vulnerabilities, endangering the integrity of the networks they serve,” Armis wrote in a post.

The first vulnerability affects TI BLE chips in Cisco and Meraki Wi-Fi access points. It allows attackers to break into networks, undetected, and move laterally between network segments. Attackers can create bridges between those network segments and break network segmentation, Armis explained.

By exploiting the vulnerability, attackers can compromise and gain full control over the main system of the access point, Armis explained.

TI responded to Armis’ claims, stating that the issue Armis found was in a previous version of the BLE-STACK. “Prior to being contacted by Armis, TI identified a potential stability issue with certain older versions of the BLE-STACK when used in a scanning mode, and we addressed this issue with software updates earlier this year. As we’ve shared with Armis, we believe the potential security vulnerability identified by Armis was addressed with previous software updates. If you have not already updated your software with the latest versions available, we encourage you to do so,” Texas Instruments wrote in a post.

The second vulnerability affects the Aruba Series 300 Wi-Fi access point and its use of TI’s over-the-air firmware download (OAD) feature, which itself is a planned backdoor to allow for firmware updates.

The OAD vulnerability allows an attacker to access and install a different version of the firmware, rewriting the operating system of the BLE chip if it was not configured properly. The default configuration of the OAD feature does not automatically have a security mechanism to differentiate between trusted and malicious firmware updates. The exploit allows attackers to abuse the access point in order to penetrate secure networks.

“The over-the-air firmware download (OAD) Profile feature mentioned in Armis’ report as it relates to the TI BLE devices is not intended or marketed to be a comprehensive security solution, as noted on TI.com. Plainly, the vulnerability mentioned in Armis’ report is a system-level – not chip-level – issue. We encourage you to use security-enabled features when designing security-related systems,” TI wrote.

According to Armis, Bleedingbit sheds light on two unaddressed issues in cybersecurity:

  1. Poorly secured networking infrastructure devices
  2. The embedding and use of hardware and software developed by third-party vendors in products.

“2018 has certainly been a year of hardware vulnerabilities. It started with Spectre and Meltdown and now we have Bleedingbit that affects BLE (Bluetooth Smart) chips manufactured by Texas Instruments,” said Ambuj Kumar, co-founder and CEO of Fortanix. “This bug renders more than 70% of enterprise wireless access points vulnerable and open to attacks. Unfortunately, these hardware based attacks would work regardless of network segmentation enterprises use. So, you could have the best network security solution but an attacker get access to the critical servers and do pretty much anything by exploiting latent system bugs.”

Armis is currently working to determine if other vendors are affected by Bleedingbit. Armis is recommending that organizations with Cisco, Meraki, and Aruba access points look for and install the latest updates from the manufacturers.