1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Armis discovered two Bluetooth security flaws in Texas Instruments BLE chips

By Cal Jeffrey
Nov 1, 2018
Post New Reply
  1. Update (11/5/18): Cisco provided TechSpot with a statement regarding the BLEEDINGBIT flaw. The spokesperson said that the flaw was limited in scope and certain features that an exploit would need are off by default. The full statement follows:

    "Cisco is aware of the third-party software vulnerability in the Bluetooth Low Energy (BLE) Stack on select chips that affects multiple vendors. When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco has identified a limited number of Aironet and Meraki Access Points which, under certain conditions, may be vulnerable to this issue.

    Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. Fixed software is available for all affected Cisco products. Cisco is not aware of any malicious use of the vulnerability."

    Cisco's PSIRT can be found on its disclosure page. Instructions on how to disable setting on Meraki devices is available on the brand's documentation page.

    Security researchers at Armis have recently discovered two Bluetooth vulnerabilities they have dubbed BLEEDINGBIT. The flaws are inherent in BLE chips manufactured by Texas Instruments. The ICs are used in networking devices including access points made by Cisco, Meraki, and Aruba Networks.

    Armis notes that these companies supply 70 percent of the wireless access points to businesses every year. However, they cannot determine exactly how many devices in total are affected.

    Putting it simply, the first exploit flips the highest bit in a Bluetooth packet causing a memory overflow, or “bleed.” Attackers can use this effect to run malicious code on Cisco and Meraki hardware.

    The second flaw affects Aruba devices and can allow the installation of malicious firmware. It works because the hardware does not perform a check to ensure that the firmware update is authentic.

    To exploit these holes, attackers need to be within range of a receiver. Most have a reach of about 100 meters. So conceivably a hacker could exploit the flaw from a parked car, unpack some malware then drive off and use remote attacks via the internet assisted by the malicious package.

    Furthermore, once the bad actors are in, the network’s virtual walls are useless.

    “In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation,” said Armis. “Once the attacker gains control over an access point through one of these vulnerabilities, he can establish an outbound connection over the internet to a command and control server he controls, and continue the attack from a more remote location.”

    Ben Seri, vice president of the security firm, said they would not release the code used to perform the exploits, but that it is pretty straightforward. He also mentioned that attacks could be executed from any Bluetooth-enabled laptop or smartphone. BLEEDINGBIT is also not limited to just enterprise access points.

    “This exposure goes beyond access points, as these chips are used in many other types of devices and equipment,” said Seri. “They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more.”

    Texas Instruments has been informed of the flaw and has confirmed that it exists by issuing several patches. Even so, TechCrunch notes that the TI has attacked Armis findings calling them “factually unsubstantiated and potentially misleading.”

    Cisco, Meraki, and Aruba have also issued patches for the affected devices. All companies say that Bluetooth on their devices is off by default, so only those that have been enabled by the purchasers or network administrators were at risk.

    You can check out a list of known affected devices in in the Armis disclosure write-up.

    Permalink to story.

     
  2. Uncle Al

    Uncle Al TS Evangelist Posts: 4,300   +2,756

    Just the latest in a long line of flawed chips from various mfg's. Don't any of these guys use quality control that includes outside consultants? Seems like after awhile they would hire those that discover the flaws to have them do their own QC before going to market with the new chips .........
     
  3. senketsu

    senketsu TS Guru Posts: 761   +510

    Nice
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...