Firm Says Bluetooth Chip Security Flaws Could Expose Enterprise Wifi APs to Attack

By Catie Keck on at

Researchers at the security firm Armis announced this week that they discovered two serious chip-level vulnerabilities that could potentially put “millions” of enterprise access points at risk. Namely, the security flaw could allow hackers to gain access to networks completely undetected.

Dubbed “Bleeding Bit,” the two security risks involved the use of Bluetooth Low Energy (BLE) chips used in enterprise wireless access points from Aruba, Cisco, and Meraki – networking industry leaders that account for 70 percent of the market.

The firm said this week that the vulnerabilities pertaining to the use of the BLE chips, which are made by Texas Instruments, can pose two significant problems. The first applies specifically to two chip models used in Cisco and Meraki access points, while the second vulnerability can affect one of Aruba’s devices. Per TechCrunch:

Armis calls the vulnerabilities “Bleeding Bit,” because the first bug involves flipping the highest bit in a Bluetooth packet that will cause its memory to overflow – or bleed – which an attacker can then use to run malicious code on an affected Cisco or Meraki hardware.

The second flaw allows an attacker to install a malicious firmware version on one of Aruba’s devices, because the software doesn’t properly check to see if it’s a trusted update or not.

While some have already raised doubts about the likelihood that these vulnerabilities will be exploited in earnest, Armis CEO Yevgeny Dibrov said in a statement that Bleeding Bit should serve as a “wakeup call” to enterprise security for a couple of reasons.

“First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns,” he said. “Second, these vulnerabilities can break network segmentation – the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”

Armis CMO Michael Parker said in a phone call with Gizmodo that the security firm has been working with the three companies on the issue for months but did not disclose the threat to the public before Thursday to avoid the obvious security threats, which he said is standard practice for security disclosures. He added that an effort to apply patches and work toward a resolution was coordinated. Right now, Parker said, making sure that patches are implemented and customers are aware of the issue is the firm’s number one priority.

An Aruba spokesperson told Gizmodo in a statement by email that it worked to resolve the issue by updating the ArubaOS operating system firmware and sending an advisory to its customers on October 18.

“Aruba 802.11ac Wave 2 (AP-3xx) access points, as well as the AP-203R(P), contain both Wi-Fi and BLE radios and the exploit only impacts the BLE radio,” the spokesperson said. “The BLE radio is disabled by default.”

A spokesperson for Cisco, which acquired Meraki in 2012, also told Gizmodo in a statement by email that its Product Security Incident Response Team (PSIRT) unit had informed its customers of the issue and as well as of which Cisco products could be affected, adding: “Fixed software is available for all affected Cisco products.”

Both companies said that they were not aware of any impact to their respective customers. Texas Instruments has reportedly already issued a patch.

Armis said the takeaway is that these kinds of vulnerabilities could show up in other devices – not just access points – and could affect industries including healthcare, retail, automotive, and more. The researchers specifically pointed to the health sector, noting that BLE chips are used in devices that include pacemakers and insulin pumps.

“[T]his exposure potentially goes beyond access points, as these chips are used in many other types of devices and equipment,” Ben Seri, VP of Research at Armis, said in a statement. “As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.” [TechCrunch, Armis]

Featured image: Paul Sakuma (AP)