According to a report from theHackerNews Security researchers have found a new vulnerability in Bluetooth chips that could potentially expose millions of users to remote attacks. The vulnerability was discovered by researchers at Israeli security firm Armis and is now dubbed as BleedingBit.
The first vulnerability has been identified as CVE-2018-16986 and exists in the TI chips CC2640 and CC2650. The vulnerability affects Cisco and Meraki’s Wi-Fi access points and takes advantage of the loophole in the Bluetooth chips. The vulnerability allows attackers to overload the chip causing memory corruption and allowing an attacker to run malicious code on an affected device.
First, the attacker sends multiple benign BLE broadcast messages, called Advertising Packets, which will be stored on the memory of the vulnerable BLE chip in the targeted device.
Next, the attacker sends the overflow packet, which is a standard advertising packet with a subtle alteration – a specific bit in its header turned ON instead of off. This bit causes the chip to allocate the information from the packet a much larger space than it really needs, triggering an overflow of critical memory in the process.
The second vulnerability has been identified as CVE-2018-7080, resides in CC2642R2, CC2640R2, CC2640, CC2650, CC2540, and CC2541 TI, and affects Aruba’s Wi-Fi access point Series 300. This vulnerability will allow a hacker to deliver a malicious update without the user knowing about it.
By default, the OAD feature is not automatically configured to address secure firmware updates. It allows a simple update mechanism of the firmware running on the BLE chip over a GATT transaction.
An attacker can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code, effectively allowing a completely rewrite its operating system, thereby gaining full control over it.
The good news is all the vulnerabilities were reported by Armis in June 2018 to the responsible companies and have been patched since then. Moreover, both Cisco and Aruba noted that their devices have Bluetooth disabled by default. No vendor is aware of anyone actively exploiting any of these zero-day vulnerabilities in the wild.