Two Zero-Day Bugs Open Millions of Wireless Access Points to Attack

Two zero-day vulnerabilities in Bluetooth Low-Energy chips made by Texas Instruments (and used in millions of wireless access points) open corporate networks to crippling stealth attacks.

Adversaries can exploit the bugs by simply being approximately 100 to 300 feet from the vulnerable devices. A compromised access point can then lead to an attacker taking control of the access point, capturing all traffic, and then using the compromised device as a springboard for further internal attacks.

The issue impacts Wi-Fi access points made by Cisco, Cisco Meraki and Hewlett-Packard Enterprise’s Aruba, accounting for a large percentage of hardware used in corporations, according to researchers at Israeli security firm Armis. The firm discovered the two bugs earlier this year and publicly disclosed them on Thursday.

“Attacks can be devastating and carried out by unauthenticated users who can exploit these bugs and break into enterprise networks undetected while sitting in the company’s lobby,” said Ben Seri, head of research at Armis.

Texas Instruments released patches (BLE-STACK SDK version 2.2.2) for affected hardware on Thursday that will be available via OEMs. Cisco is expected to release patches for three Aironet Series wireless access points (1542 AP, 1815 AP, 4800 AP), along with patches for its Cisco Meraki series access points (MR33, MR30H, MR74, MR53E), on Thursday. And Aruba has released a patch for its Aruba 3xx and IAP-3xx series access points.

According to Aruba, “the vulnerability is applicable only if the BLE radio has been enabled in affected access points. The BLE radio is disabled by default.”

Cisco representatives told Threatpost that the BLE feature is disabled by default on its Aironet devices.

Aruba is advising its affected customers to disable the BLE radio to mitigate the vulnerability.

“Fixed software was published for all of Cisco’s affected products prior to Nov. 1. A PSIRT advisory was published at the time of the researcher’s disclosure today via our established disclosure page. Meraki also published an advisory in the customer dashboard, and documentation is available to disable to involved settings,” Cisco said in an email to Threatpost.

“The vulnerability can be exploited by an attacker in the vicinity of the affected device, provided its BLE is turned on, without any other prerequisites or knowledge about the device,” according to researchers. The attacker does not need to be on the network, he or she just needs to be within range of access point and the BLE broadcasts/beacons.

Vulnerability Details

The first vulnerability (CVE-2018-16986) is tied to Texas Instrument chips cc2640/50 used in Cisco and Cisco Meraki access points. This vulnerability is a remote code-execution flaw in the BLE chip and can be exploited by a nearby unauthenticated hacker.

“First, the attacker sends multiple benign BLE broadcast messages, called ‘advertising packets,’ which will be stored on the memory of the vulnerable BLE chip in targeted device,” researchers said. “Next, the attacker sends the overflow packet, which is a standard advertising packet with a subtle alteration – a specific bit in its header turned on instead of off. This bit causes the chip to allocate the information from the packet to a much larger space than it really needs, triggering an overflow of critical memory in the process.”

Leaked memory is then leveraged by attackers to facilitate the running of malicious code on the chip. A backdoor is opened up on the chip, which an attacker can then use to command the chip wirelessly. From there, he or she can manipulate the main processor of the wireless access point and take full control over it locally and then remotely.

“The Texas Instrument chips are so common that an attacker could simply walk into a lobby of a company, scan for available Wi-Fi networks and begin the attack, on the assumption the BLE vulnerability is present,” said Nadir Izrael, CTO and co-founder of Armis.

A second vulnerability (CVE-2018-7080) was discovered by Armis in Texas Instrument’s over-the-air firmware download feature used in Aruba Wi-Fi access point Series 300 that also uses the BLE chip.

“This vulnerability is technically a backdoor in BLE chips that was designed as a development tool, but is active in these production access points,” according to Armis. “It allows an attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the device.”

Researchers said the second vulnerability exists because the over-the-air security mechanism can’t differentiate between “trusted” or “malicious” firmware updates. By installing their own firmware update, an attacker can gain a foothold on the hardware and take over the access points, spread malware and move laterally across network segments, researchers said.

The vulnerabilities were collectively given the name BleedingBit from the way researchers were able to overflow packets at the bit level in the BLE memory module.

BLE is a relatively new Bluetooth protocol designed to for low-power consumption devices such as IoT hardware. It’s significant for a number of reasons, such as its mesh capacities, but also for the fact it evolves the protocol from consumer uses (headphones and smartphone data transfers) to commercial IoT uses.

For this reason, Seri said there is concern that the BleedingBit vulnerabilities could impact a larger universe of BLE devices, such as smart locks used in hotel chains and point-of-sale hardware.

Last year, Armis discovered a nine zero-day Bluetooth-related vulnerabilities, dubbed BlueBorne, in Bluetooth chips used in smartphones, TVs, laptops and car audio systems. The scale of affected devices was massive, estimated to impact billions of Bluetooth devices.

(This article was updated with a comment from Cisco Systems on Friday 11/2 at 1pm ET)