In context: Bluetooth Low Energy (BLE), also called Bluetooth 4.0 is a wireless protocol designed to be used with apps that do not exchange large amounts of information. Fitbit fitness trackers are a good example, but it is used in other devices as well such as some enterprise networking equipment.
Update (11/5/18): Cisco provided TechSpot with a statement regarding the BLEEDINGBIT flaw. The spokesperson said that the flaw was limited in scope and certain features that an exploit would need are off by default. The full statement follows:
"Cisco is aware of the third-party software vulnerability in the Bluetooth Low Energy (BLE) Stack on select chips that affects multiple vendors. When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco has identified a limited number of Aironet and Meraki Access Points which, under certain conditions, may be vulnerable to this issue.
Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. Fixed software is available for all affected Cisco products. Cisco is not aware of any malicious use of the vulnerability."
Security researchers at Armis have recently discovered two Bluetooth vulnerabilities they have dubbed BLEEDINGBIT. The flaws are inherent in BLE chips manufactured by Texas Instruments. The ICs are used in networking devices including access points made by Cisco, Meraki, and Aruba Networks.
Armis notes that these companies supply 70 percent of the wireless access points to businesses every year. However, they cannot determine exactly how many devices in total are affected.
Putting it simply, the first exploit flips the highest bit in a Bluetooth packet causing a memory overflow, or “bleed.” Attackers can use this effect to run malicious code on Cisco and Meraki hardware.
The second flaw affects Aruba devices and can allow the installation of malicious firmware. It works because the hardware does not perform a check to ensure that the firmware update is authentic.
To exploit these holes, attackers need to be within range of a receiver. Most have a reach of about 100 meters. So conceivably a hacker could exploit the flaw from a parked car, unpack some malware then drive off and use remote attacks via the internet assisted by the malicious package.
Furthermore, once the bad actors are in, the network’s virtual walls are useless.
“In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation,” said Armis. “Once the attacker gains control over an access point through one of these vulnerabilities, he can establish an outbound connection over the internet to a command and control server he controls, and continue the attack from a more remote location.”
Ben Seri, vice president of the security firm, said they would not release the code used to perform the exploits, but that it is pretty straightforward. He also mentioned that attacks could be executed from any Bluetooth-enabled laptop or smartphone. BLEEDINGBIT is also not limited to just enterprise access points.
“This exposure goes beyond access points, as these chips are used in many other types of devices and equipment,” said Seri. “They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more.”
Texas Instruments has been informed of the flaw and has confirmed that it exists by issuing several patches. Even so, TechCrunch notes that the TI has attacked Armis findings calling them “factually unsubstantiated and potentially misleading.”
Cisco, Meraki, and Aruba have also issued patches for the affected devices. All companies say that Bluetooth on their devices is off by default, so only those that have been enabled by the purchasers or network administrators were at risk.
You can check out a list of known affected devices in in the Armis disclosure write-up.