Two flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) and used in millions of WiFi access points sold by Aruba, Cisco and Meraki could be exploited by an attacker to break into enterprise networks undetected, researchers said.
In a new advisory, security provider Armis, which discovered the vulnerabilities and dubbed them “BleedingBit,” said the bugs can allow a hacker to take over an access point, spread malware and move laterally across network segments. Neither of the vulnerabilities can be detected or stopped by traditional network and endpoint security solutions, Armis said.
The two flaws apparently are quite different from one another: The first enables an attacker to implant malicious code on Cisco and Meraki hardware, while the second allows an invader to install bogus firmware on one of Aruba's devices. At issue is TI’s over-the-air firmware download feature, which in default configurations doesn’t identify potentially malicious updates. As a result, an attacker can effectively rewrite the operating system of the BLE chip and ultimately invade an otherwise secure network.
“Once an attacker takes control over an access point, he can move laterally between network segments, and create a bridge between them — effectively breaking network segmentation,” Armis said in the technical memo. The security specialist said it had reported the issues to TI and the three affected vendors, and is working with other connected device makers to determine if they’ve also been affected by BleedingBit. (Cisco has posted a list of its products that are affected by the vulnerability). In addition, it’s working the with CERT Coordination Center (CERT/CC) to confirm that appropriate patches are provided to every affected product.
"BleedingBit is a wake up call to enterprise security for two reasons," said Armis CEO Yevgeny Dibrov. "First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation -- the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device."
Ben Seri, Armis research vice president, said vulnerabilities in Wi-Fi access points potentially reach well beyond network devices. The TI chips are used in a “variety of industries such as healthcare, industrial, automotive, retail, and more,” he said. “As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it."
As a case in point, the security provider reminded us that it had discovered BlueBorne, a set of nine zero-day Bluetooth-related vulnerabilities in Android, Windows, Linux and iOS that affected billions of devices, including smartphones, TVs, laptops, watches and automobile audio systems.