By Ben Seri, VP of Research
Last month we disclosed BLEEDINGBIT, two critical chip-level vulnerabilities related to the use of Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) used in millions of enterprise access points made by Cisco, Meraki, and Aruba, which together account for nearly 70% of the market. Using BLEEDINGBIT, an unauthenticated attacker can break into enterprise networks undetected, take control of an access point, and render network segmentation useless.
Today, at the BlackHat Europe conference, we revealed new details about BLEEDINGBIT. In our talk, we discussed how we discovered these vulnerabilities and demonstrated exploitation of the RCE (Remote Code Execution) vulnerability on a Cisco access point. We also presented a video demonstration of how an attacker can exploit the OAD (Over the Air firmware Download) RCE vulnerability on an Aruba access point.
BLEEDINGBIT RCE vulnerability (CVE-2018-16986) on a Cisco 1815W Access Point
The first BLEEDINGBIT RCE (Remote Code Execution) vulnerability resides in a TI chip embedded in many devices. The following is a demonstration of how a bad actor could use the on-board BLE chip to take over the device and penetrate the network.
BLEEDINGBIT OAD RCE vulnerability (CVE-2018-7080) on an Aruba Series 300 Access Point.
The second BLEEDINGBIT vulnerability was specific to the Aruba Access Point Series 300. While a bad actor could simply conduct an attack from your lobby using a laptop or smartphone, we took our demonstration a step further. We attached a smartphone to a drone and attacked an Aruba access point from outside our Tel Aviv office – on the 27th floor.
Technical White Paper
Our researchers also released an accompanying technical white-paper with extensive details on both the vulnerabilities and their exploitation process. For a list of affected devices, please visit the list on the BLEEDINGBIT report on our website. We strongly advise all companies using an access point featuring TI BLE chips to verify whether the BLEEDINGBIT vulnerabilities affect them, and I invite companies who are affected or who have questions to contact us at firstname.lastname@example.org and to use our pgp key to send an encrypted report so we can assist them.