14 DAY TRIAL // The Bleedingbit set of two remote code execution (RCE) vulnerabilities affect a wide range of devices which use Texas Instruments' Bluetooth Low Energy (BLE) chips.
Bluetooth Low Energy (also known as Bluetooth 4.0, Bluetooth LE, or BLE) is a low-power wireless standard subset of the Bluetooth protocol and specifically designed to be used in Internet of Things (IoT) devices.
Both vulnerabilities expose vulnerable devices to undetected, unauthenticated, and remote wireless attacks, allowing for penetration of networks secure from Internet-based attacks.
This translates into millions of access points and other network devices that use TI BLE chips being exposed to remote attacks.
The Bleedingbit vulnerabilities have been discovered by IoT security research company Armis, the same one who also found the BlueBorne (CVE-2017-1000251) Bluetooth security issues which would allow physically proximate attackers to trigger denial of service states in vulnerable devices.
The first Bleedingbit security flaw (CVE-2018-16986) is present in the CC2640, CC2650, CC2640R2F, and CC1350 BLE Texas Instruments BLE chips and it affects a wide range of Cisco and Meraki access points.
This vulnerability makes it possible for attackers to exploit the devices for remote code execution when in active range by triggering a memory overflow and subsequently executing arbitrary code, possibly using the compromised access point to attack other devices on the network.
Bleedingbit exposes millions of devices using Texas Instruments' BLE chips to remote, unauthenticated attacks
The second Bleedingbit vulnerability (CVE-2018-7080) has been detected in the CC2642r, CC2640r2, CC2640, CC2650, CC2540, and CC2541 TI BLE chips, with the added requirement of having TI's OAD (Over the Air firmware Download) feature enabled, and it only affects Aruba series 300 Access Points.
This security flaw enables attackers to upload and install new firmware versions on the vulnerable Aruba APs, effectively rewriting the operating system with their own version.
Although millions of vulnerable access points being exposed to RCE vulnerabilities sounds very ominous, there is a good side to the fact that these security issues have been found in Bluetooth chips: potential attackers can exploit the flaws only while in close proximity (up to 100 meters/330 feet) to the affected devices.
It's also important to mention that, although BLE chips' specifications limit the attack range, attackers could use directional antennas to increase the attack ranges up to 200-300 meters and connect the compromised devices to the Internet to remove the need of staying in the area.
Because the security issues affect the Bluetooth chips of IoT devices there is no need for them to be Internet-facing to be vulnerable and such attacks will be unexpected for enterprises that have only prepared security defenses for Internet-based assaults on their network.
Texas Instruments's BLE chips are found in access points used by enterprises, in IoT devices available for home use, and in medical devices such as pacemakers and insulin pumps.
Texas Instruments has released BLE-STACK version 2.2.2 to fix the CVE-2018-16986 RCE security issue reported by Armis on June 20. The OAD RCE vulnerability, on the other hand, is expected to be addressed by Aruba, the vendor behind the affected access points.