The idea that vulnerabilities in Bluetooth Low Energy (BLE) chips, frequently embedded in networking equipment because it has a longer battery life than earlier Bluetooth chips, can be exploited to give attackers a way to take over enterprise Wi-Fi networks is a scary one. While the likelihood of such an attack remains low, the issue highlights a weakness in enterprise network architecture.
Researchers from Armis, a company specializing in Internet of Things security, identified two vulnerabilities in four BLE chips (CC2540/1, CC2640/50, CC2640R2, and CC2642R) manufactured by Texas Instruments which are used in wireless access points made by Cisco, Cisco-owned Meraki, and HP-owned Aruba. BLE chips increasingly being used in different types of consumer devices and enterprise networking equipment in a variety of industries such as healthcare, industrial, automotive, and retail. A hospital may rely on BLE in its network to track Bluetooth-enabled medical devices moving around the medical campus.
“Because of the BLE chip’s position within the software stack and firmware, it allows privileged access to the access point,” Armis CTO and co-founder Nadir Izrael said.
While Cisco, Aruba, and Cisco-owned Meraki account for 70 percent of wireless access point hardware sold to enterprises annually, the impact is unclear because the vulnerability is present in only a subset of access points. Cisco has information on how the vulnerability affects about a dozen Cisco and Meraki access point models. Aruba patched the issue for its affected access points. Texas Instruments has also patched the chips.
Attackers can send advertising packets containing malicious code which get stored in the chip’s memory and executed later. The packets look like benign BLE messages to the access point. The attackers cause a memory overflow in the chip by sending a standard advertising packet with one bit turned on instead of off. That flipped bit causes data to be stored in a too-large block of memory, giving attackers extra memory needed to execute the malicious code sent earlier in the advertising packets and overwrite the chip’s firmware. With the chip under their control, attackers can then overwrite the device’s firmware and monitor user communications and infect other devices on the network.
Expensive Attack
Once the first access point is compromised, the rest of the network is open to attack. Armis said an attack can be launched from a Bluetooth-enabled laptop and can be as quick as two minutes. But, getting to that first access point may not be so straightforward.
For the attack to succeed, the BLE chip has to be listening for advertising packets, which means BLE has to be turned on and device scanning enabled. That is already a barrier to attack, since the affected Cisco and Meraki equipment have scanning turned off by default, and BLE is disabled by default on affected Aironet devices. BLE is also turned off by default in Aruba’s AP-3xx, AP-207, and AP-203R(P). Just having the vulnerable equipment in the network doesn’t mean automatically being at risk.
One of the biggest concerns about attacks against networking equipment is that enterprises may not be aware of their exposure because they may not know if they have the affected systems, or that the devices they have contains a vulnerable component. The fact that BLE and scanning isn’t turned on by default, at least for the currently known vulnerable Cisco and Meraki models, limits the risks for most enterprises.
Enterprises should still check to see if they have the affected access points and apply the patches as soon as they are able to.
The vulnerability in Aruba devices can be exploited using the optional Over Air Download feature, which is used to download and install updates on to the device. The feature doesn't validate the updates are legitimate, which means anyone who reverse engineers the password protecting the updates (the same one is used for all updates) can install code on to the Aruba device with the feature turned on. Enterprises should turn off Over Air Download.
An important thing to remember about Bluetooth-based attacks: they are proximity attacks. The attacker needs to be physically present in the network. In this particular case, the attackers need to be within range—most receivers have a range of about 100 meters or less—of the actual receiver. The attacker has to know where the receivers are and get close enough to launch the exploit.
Just walking around the building or down the hallways may not get the attacker close enough. An attack like this would require detailed reconnaissance to succeed.
Even for enterprises that have turned on scanning and BLE because they are taking advantage of the beaconing capability in their envrionment, an attack like this would is complicated. While Izrael said the attack itself is easy, the amount of work needed develop exploit code--it's not a trivial matter to write code that can cause a memory overflow in this kind of chip--and pre-planning add up to a significant amount of work.
The fact that Armis has not released the exploit code may help keep the likelihood of this vulnerability ever being targeted, low.
Still, patch when possible.
Bypass Segmentation
The most concerning part about the research from Armis is how it ignores network architecture. Network segmentation, or carving out specialized parts of the network so that if one section gets compromised, the attackers can’t easily get to the other parts, is a networking best practice. Several of the largest retail data breaches happened because point-of-sale systems were on the same network as corporate systems, so attackers were able to move around the network from one machine to other and get to the most valuable systems. Segmenting the network puts up walls between different parts, making it harder to move around.
Armis found that because the vulnerability is in BLE and the attack code relies on advertising packets, attackers don't have to worry about segmented networks. The broadcast signal looks for any device with the BLE chip in range, and lets the attacker install the firmware on each of the device.
“Once the attacker gained control, he can reach all networks served by it, regardless of any network segmentation,” said Izrael.
Once the access point is under attacker control, attacking devices connected to it and eavesdropping on traffic flowing in and out of the network is much easier. The attacker still has to find the server with valuable data to steal or the user to target, but being on the network opens up a lot of opportunities.
While the current focus is on access points from the three vendors using the vulnerable chips from one manufacturer, that doesn’t mean this vulnerability may not impact other vendors. BLE chips can be found in devices other than wireless access points, including medical devices such as pacemakers and insulin pumps, retail equipment, gaming gear, and home automation devices, Izrael said. The vulnerabilities are also not within the protocol, but with the way the BLE chip was made. Implementation issues are dangerous because it can show up across multiple vendors, depending on how each manufacturer applied the standard. Bluetooth specifications leave too much room for interpretation, which is why there have been other implementation issues in the past.
These new vulnerabilities highlight the the fact that everything may be fine with the security of the wireless network, but something else can be used to provide a way in. Enterprises should make sure they are using the components as needed and thinking about the exposure to their networks.