Security researchers at Israeli security company Armis have discovered two vulnerabilities in Bluetooth Low Energy Chips (BLE) that could allow attackers to take control of affected devices, without authentication.
The set of vulnerabilities has been called “BleedingBit“. This isn’t the first time Armis have discovered Bluetooth affecting security flaws, in 2017 they discovered 9 zero-day Bluetooth related flaws that affected Android, Windows, iOS and Linux.
Bluetooth Low Energy (BLE) is a wireless personal area network technology designed to use considerably less power than traditional chips. The chips are made by Texas Instruments and are being used by Aruba, Meraki and Cisco across a range of products in their enterprise suite.
The first vulnerability (CVE-2018-16986) works by taking advantages of the way Bluetooth chips analyze incoming data. An attacker could overload the chip with more traffic than it knows how to handle, which commonly causes memory corruption, then allowing the attacker to execute malicious code onto the device.
This does require that the attacker is in close proximity to the device in order to gain the control, however, once the control has been gained the attacker would be able to launch attacks remotely over the internet.
The second vulnerability (CVE-2018-7080) affects Aruba’s Wi-Fi access point Series 300. The issue is with a firmware update by Texas Instruments called Over Air Firmware Download (OAD). All of the Aruba WiFi access points share the same OAD password, which means if an attacker managed to reverse engineer Aruba’s BLE firmware they can gain access and execute malicious code to rewrite and control the operating system.
“By default, the OAD feature is not automatically configured to address secure firmware updates. It allows a simple update mechanism of the firmware running on the BLE chip over a GATT transaction,” Armis researchers stated.
Texas Instruments, as well as Cisco and Meraki, were informed of the vulnerabilities earlier this year by Armis and given the time to create patches. Texas Instruments released a security patch on Thursday, Aruba has also released a security patch. It should be noted that Cisco and Aruba have noted that Bluetooth is disabled by default on their devices so they were unlikely to be successfully targeted in this way.