A team of security researchers announced the discovery of the BLEEDINGBIT vulnerability which practically makes millions of Bluetooth devices easy to hack. The issue here is related to two weaknesses demonstrated by the Bluetooth Low Energy (BLE) chips made by Texas Instruments which are widely used across both consumer and enterprise devices. Effectively this makes a lot of devices very easy to hack, the demonstrated proof-of-concept code shows that attackers can break into networks through these devices without getting detected.
CVE-2018-16986: The BLEEDINGBIT Vulnerability Can Be Used to Intrude onto Secure Networks
Bluetooth devices and spefically those that adhere to the Low Energy profile may be affected by the newest bug known as the BLEEDINGBIT vulnerability. Despite its name this it comprises of two independent issues that are rated “critical”. They are linked into one vulnerability as they have been found to affect the Bluetooth Low Energy (BLE) chips made by Texas Instruments. This has resulted in the fact that millions of devices are now vulnerable as this is one of the main manufacturers on the market.
The Bluetooth Low Energy specification is one of the key wireless technologies used by IoT and network devices. Coupled with the fact that many of them are left with default or weak account credentials makes them an even easier target. Another point of view illustrated in the announcement is the fact that the while the software and hardware implementation of a given device may be secure by itself add-on components like the Bluetooth chipset can lead to such dangerous vulnerabilities.
BLEEDINGBIT Vulnerability: Method of Intrusion
We specified earlier that there are two related issues that are exhibited by the vulnerability. The first one is a remote control exploit which is tracked in the CVE-2018-16986 advisory. It has been found to affect the following devices:
CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version; CC2650 with BLE-STACK version 2.2.1 or an earlier version; CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0); CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3)
Additionally the following devices have been found to be affected by it:
Cisco 1800i Aironet Access Points, Cisco 1810 Aironet Access Points, Cisco 1815i Aironet Access Points, Cisco 1815m Aironet Access Points,
Cisco 1815w Aironet Access Points, Cisco 4800 Aironet Access Points, Cisco 1540 Aironet Series Outdoor Access Point, Meraki MR30H AP,
Meraki MR33 AP, Meraki MR42E AP, Meraki MR53E AP and Meraki MR74.
The found weakness is found to be due caused by a memory corruption condition during processing of incorrect network traffic from the BLE module. As a consequence a malicious actor that is close to the target devices can execute arbitrary code by sending such malformed data. Another possibility is the execution of a DoS (denial-of-service) condition which can shut down the device.
The associated security advisory issued by Cisco tracks the manufacturer’s ongoing research into the problem. At the time of writing this article no patch is available yet.
The second vulnerability is also a remote control exploit that is caused by a feature known as OAD. It is tracked in the CVE-2018-7080 advisory and affects the following chips: cc2642r, cc2640r2, cc2640, cc2650, cc2540 and cc2541. It has been found to affect the following access points:
AP-3xx and IAP-3xx series access points, AP-203R, AP-203RP,
ArubaOS 6.4.4.x prior to 220.127.116.11, ArubaOS 6.5.3.x prior to 18.104.22.168, ArubaOS 6.5.4.x prior to 22.214.171.124,
ArubaOS 8.x prior to 126.96.36.199 and ArubaOS 8.3.x prior to 188.8.131.52.
The documented exploit can be triggered only when the relevant BLE radio function is enabled by the device owners, by default it is disabled. The problem was found to be within the functionality that is responsible for the OTA (over-the-air) updates. The hackers have been able to push malicious copies of these images. This leads to the attackers into obtaining control of the devices.
Patches are already being released by the vendors and device manufacturers are working on their implementation. All device owners of the affected access points should apply the latest updates. If a patch is not yet available a temporary solution would be to disable the BLE radio.
Consequences of the BLEEDINGBIT Vulnerability
Bluetooth-based attacks are very popular as they are typically based on problems with implementing the wireless tecnology or a fundamental weakness in the protocols. A recent example is theBlueborne Vulnerability.
Outside of the published lists there may be other devices that are affected by the vulnerability, especially smaller vendors that are not well-known. Texas Instruments chips are used across several large OEM manufacturers that produce devices for various brands around the world. We recommend that every owner of such devices contact their vendors to make sure that their devices are not affected.