IT Wi-Fi kit bit by TI chip slip: Wireless gateways open to hijacking via BleedingBit chipset vuln

Updated On Thursday, network equipment makers Aruba, Cisco, and Cisco-owned Meraki plan to patch two flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) that power their respective enterprise Wi-Fi access points.

The coordinated disclosure, prompted by security biz Armis’ discovery of two critical vulnerabilities, aims to patch holes in BLE implementations that allow an attacker to read network traffic traveling through affected access points, inject and execute malicious code on the routers, feed malware to connected devices, and traverse network segments. These flaws can be exploited over the air.

In a phone briefing with The Register, Nadir Israel, cofounder and CTO of Armis, said the three companies account for about 70 per cent of wireless access point hardware sold to enterprises annually, though the number of affected devices isn’t yet known.

The vulnerable TI chips, he said, create a new attack surface, one that isn’t visible to affected organizations. “Once you take over a piece of the network infrastructure, you can do pretty much anything including bypassing network segmentation,” he said.

Israel said that enterprises will need to check to see whether their Wi-Fi access points are vulnerable. “It will require every organization that has these access points to patch or validate their BLE hardware,” he said.

As is now the trend with significant vulnerabilities, the flaws have been given a name: “BLEEDINGBIT,” in shouty capitals, no less.

Ben Seri, VP of research at Armis, said the name describes the nature of the first of the two flaws. It affects two TI BLE chips (CC2640 and CC2650) which can be found in Cisco and Meraki Wi-Fi access points.

“There’s a bug in the code on the TI chips that’s supposed to mask out certain bits in the BLE packet,” Seri explained.

If an attacker turns on the highest-order bit in the BLE packet length field, which is supposed to be reserved, that can lead to memory corruption in the BLE stack and potential remote code execution.

The second flaw involves a flaw in four different TI BLE chips (CC2540/1, CC2640/50, CC2640R2, and CC2642R) powering Aruba access points that makes TI’s over-the-air (OTA) download feature accessible. Intended for developers, OTA access is supposed to be disabled in production. But for affected Aruba devices it wasn’t, according to Armis, affording an attacker the opportunity to install firmware and overwrite the device operating system.

“When you think about cyber attacks that can target organizations, most take time,” said Seri. “Here it’s actually really simple to get onto the network. Sending out a few packets allows an attacker to penetrate an access point and gain a foothold in the network.”

The affected TI chips are also used for applications other than wireless access points, including home and building automation, industrial controls, retail beacons and payment devices, health and medical devices, and fitness and gaming gear.

In terms of mitigation, Armis offers the following recommendations:

For CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or an earlier version are impacted, customers can update to version 2.2.2. For CC2640R2F, version (BLE-STACK 3.0.0) is impacted, customers can update to SimpleLink CC2640R2F SDK version (BLE-STACK 3.0.1) or later. For CC1350, version (BLE-STACK 2.3.3) or earlier is impacted, customers can update to SimpleLink CC13x0 SDK version (BLE-STACK 2.3.4) or later.

Armis, which last year identified nine flaws in the Bluetooth stacks used by Apple, Google, Microsoft, and certain Linux distributions, said it’s still in the process of assessing the scope of the these flaws and is working with the CERT Coordination Center and vendors to ensure affected devices get patches. ®

Updated to add

In a statement email to The Register after the publication of this story, a spokesperson for Cisco said:

“Cisco is aware of the third-party software vulnerability in the Bluetooth Low Energy (BLE) Stack on select chips that affects multiple vendors. When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco has identified a limited number of Aironet and Meraki Access Points which, under certain conditions, may be vulnerable to this issue.”

The company said an attack attempt would require being next to the device, with BLE enabled and scanning mode enabled. Scanning, Cisco says, is disabled by default for potentially affected products and the BLE feature is disabled by default on the potentially affected Aironet devices.

Sponsored: Following Bottomline’s journey to the Hybrid Cloud