Severe vulnerabilities expose wireless access points to attack

CC 2650

Researchers have discovered two severe vulnerabilities in several popular wireless access points that, if exploited, could allow hackers to compromise enterprise networks.

The two critical vulnerabilities are related to to the use of Bluetooth Low Energy (BLE) chips manufactured by Texas Instruments (TI) that are used in wireless access points from Cisco, Meraki and Aruba. 

The faults were found by IoT security firm Armis, which has dubbed the vulnerabilities “BLEEDINGBIT”.

If exploited, they could allow an attacker to break into enterprise networks undetected, take over access points, spread malware and move laterally across network segments. To make matters worse, neither of the vulnerabilities can be detected or stopped by both traditional network and endpoint security solutions.

Impact on enterprise networks

The first BLEEDINGBIT vulnerability affects the cc2640 and cc2650 TI BLE chips embedded in Cisco and Meraki Wi-Fi access points. If exploited, this proximity-based vulnerability could trigger a memory corruption in the BLE stack which could allow attackers to compromise the main system of the access point and gain full control over it.

The second vulnerability impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip cc2540 and its use of TI's over-the-air firmware download (OAD) feature. This issue relates to the built-in backdoor feature of BLE chips that allows for firmware updates.

If exploited, a nearby attacker could access this feature and use it to install a completely new and different version of the firmware which would rewrite the operating system of the BLE chip if the manufacturer failed to correctly implement it. By default, the OAD feature does not automatically differentiate between a trusted firmware update from a potentially malicious update. Therefore an attacker could abuse this feature to gain a foothold on an access point through which they could penetrate secure networks.

Patches incoming

TI has already released software updates to address the first vulnerability with patches from Cisco, Meraki and Aruba expected by the beginning of November.

Technical strategist and research lead at Synopsys, Travis Biehn offered further insight on the patching process, saying:

"I’m concerned about the technical details about how you’d pivot from the BLE microcontroller to the microcontroller controlling the executive router functions. This will be arbitrary for each affected device. 

"So, intrinsically, the TI chips seem to have vulnerabilities that give attackers the ability to compromise their runtime on those TI chips, an attacker needs to identify another vulnerability between the TI chip and the main access point microcontroller to achieve the level of access described by these security researchers (and this is the likely source of TI’s response.) 

"Patching this will depend on whether A) the TI BLE Microcontrollers have a method for updating their firmware, and B) the Access Point Microcontroller has functionality and connectivity to do reach TI’s firmware update routine.”