SAN FRANCISCO – Mobile key platform UniKey has patched vulnerabilities related to the infamous BleedingBit attack in its platform. The flaws could have given attackers within close proximity access to hotel rooms, cars and more.
BleedingBit is an issue in Bluetooth Low-Energy chips made by Texas Instruments (and used in millions of wireless access points), which was disclosed in November 2018. According to researchers at Armis, who first discovered BleedingBit, some of the affected BLE radio components were used in some UniKey reference designs and products.
The researchers said in a Wednesday session at RSA Conference 2019 that the latest patch showcases just how widespread BleedingBit is on various devices – and the breadth of attacks that the flaws could enable.
“BleedingBit essentially is a wide-range set of vulnerabilities in chips by [Texas Instruments],” Armis CTO and co-founder Nadir Izrael told Threatpost at RSA. “They are prevalent in many different kinds of products. The primary focus of the original disclosure was wireless access points, which affect most enterprises of the world. But as we dug through it and made responsible disclosures processes with other companies, we found many other devices are affected.”
The most recent type of impact is what Izrael describes as “the concept of the phone as a key.” UniKey is a mobile key platform provider; which brings mobile access control products to businesses, retail, hospitality and residential markets.
“Since these affected BLE radio components were used in some UniKey reference designs and products, UniKey worked closely with TI and Armis to implement immediate corrective action,” UniKey said in a statement.
BleedingBit opens corporate networks to crippling stealth attacks. In UniKey’s instance, this means that an attacker could have taken control of the access point to open doors in hotels or other markets where the solution is utilized, Izrael said.
“As security is UniKey’s main priority, the company took immediate action to push out a patch and worked with its partners to distribute the necessary software updates to the potentially impacted products,” UniKey said.
The first vulnerability (CVE-2018-16986) is tied to Texas Instrument chips cc2640/50 used in Cisco and Cisco Meraki access points. This vulnerability is a remote code-execution flaw in the BLE chip and can be exploited by a nearby unauthenticated hacker.
A second vulnerability (CVE-2018-7080) was discovered by Armis in Texas Instrument’s over-the-air firmware download feature used in Aruba Wi-Fi access point Series 300 that also uses the BLE chip.
Texas Instruments released patches (BLE-STACK SDK version 2.2.2) for affected hardware in November that will be available via OEMs.
Adversaries can exploit the bugs by simply being approximately 100 to 300 feet from the vulnerable devices. A compromised access point can then lead to an attacker taking control of the access point, capturing all traffic, and then using the compromised device as a springboard for further internal attacks.
Moving forward, BleedingBit continues to impact various products beyond corporate enterprise networks – for instance, Zebra devices were found to be affected.
“The problem is a lot of things have BLE,” said Izrael. “It’s very prevalent as a technology. BLE is everywhere – all our phones have it, a lot of different devices have it for any number of reasons, access points have it – so the implications are very broad.”
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.