Bleeding Bit: Two Bluetooth Chip Flaws in Cisco and Meraki Devices

Back to Blog

Bleeding Bit: Two Bluetooth Chip Flaws in Cisco and Meraki Devices

Two flaws in Bluetooth chips open millions of devices to attack

Security researchers detailed a pair of critical vulnerabilities in Bluetooth Low Energy (BLE) chips embedded in global access points and networking devices.

The Hacker News fills in the details: “Dubbed BleedingBit, the set of two vulnerabilities could allow remote attackers to execute arbitrary code and take full control of vulnerable devices without authentication, including medical devices such as insulin pumps and pacemakers, as well as point-of-sales and IoT devices.

“Discovered by researchers at Israeli security firm Armis, the vulnerabilities exist in Bluetooth Low Energy (BLE) Stack chips made by Texas Instruments (TI) that are being used by Cisco, Meraki, and Aruba in their enterprise line of products.

“The first vulnerability, identified as CVE-2018-16986, exists in TI chips CC2640 and CC2650 and affects many Cisco and Meraki’s Wi-Fi access points. The bug takes advantage of a loophole in the way Bluetooth chips analyze incoming data.

“According to the researchers, sending more traffic to a BLE chip than it’s supposed to handle causes memory corruption, commonly known as a buffer overflow attack, which could allow an attacker to run malicious code on an affected device.”

But wait — there’s more. “The second vulnerability, identified as CVE-2018-7080, resides in CC2642R2, CC2640R2, CC2640, CC2650, CC2540, and CC2541 TI chips, and affects Aruba’s Wi-Fi access point Series 300.

“This vulnerability stems from an issue with Texas Instruments’ firmware update feature in BLE chips called Over the Air firmware Download (OAD).

“Since all Aruba access points share the same OAD password which can be ‘obtained by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware,’ an attacker can deliver a malicious update to the targeted access point and rewrite its operating system, gaining full control over the device.”

After discovering BleedingBit, Armis contacted all affected companies in June 2018 and worked with them to help them patch the issues.

Read more on The Hacker News

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Blog