A pair of new Bluetooth security flaws expose wireless access points to attack

Security researchers have found two severe vulnerabilities affecting several popular wireless access points, which — if exploited — could allow an attacker to compromise enterprise networks.
The two bugs are found in Bluetooth Low Energy chips built by Texas Instruments, which networking device makers — like Aruba, Cisco and Meraki — use in their line-up of enterprise wireless access points. Although the two bugs are distinctly different and target a range of models, the vulnerabilities can allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks.
Security company Armis calls the vulnerabilities “Bleeding Bit,” because the first bug involves flipping the highest bit in a Bluetooth packet that will cause its memory to overflow — or bleed — which an attacker can then use to run malicious code on an affected Cisco or Meraki hardware.
The second flaw allows an attacker to install a malicious firmware version on one of Aruba’s devices, because the software doesn’t properly check to see if it’s a trusted update or not.
Although the security researchers say the bugs allow remote code execution, the attacks are technically local — in that a would-be attacker can’t exploit the flaws over the internet and would have to be within Bluetooth range. In most cases, that’s about 100 meters or so — longer with a directional antenna — so anyone sitting outside an office building in their car could feasibly target an affected device.
“In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation,” Armis said in a technical write-up.
Ben Seri, vice president of research at Armis, said that the exploit process is “relatively straight forward.” Although the company isn’t releasing exploit code, Seri said that all an attacker needs is “any laptop or smartphone that has built-in Bluetooth in it.”
But he warned that the Bluetooth-based attack can be just one part of a wider exploit process.
“Once the attacker gains control over an access point through one of these vulnerabilities, he can establish an outbound connection over the internet to a command and control server he controls, and continue the attack from a more remote location,” he said. That would give an attacker persistence on the network, making it easier to conduct surveillance or steal data once the attackers drive away.
A pair of new Bluetooth security flaws expose wireless access points to attack
“Bleeding Bit” allows an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. (Image: Asrmis/supplied)
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«    Сентябрь 2019    »