Flaws in BLE Chips Expose Millions of Enterprise Wi-Fi APs to Hacking

Security researchers have found two serious vulnerabilities in Bluetooth Low Energy (BLE) chips from Texas Instruments (TI) that are used in millions of Wi-Fi access points, but also in devices from various industries including health care, automotive and retail.

The two vulnerabilities, known collectively as BLEEDINGBIT, are located in the BLE stack and can be exploited to take control of devices that incorporate the affected TI chips. They were discovered by researchers from security firm Armis in wireless access points from Cisco Systems, Meraki (now part of Cisco) and Aruba Networks, an HP subsidiary.

These vendors account for the majority of access points used in enterprises, but only APs that contain one of the affected BLE radio chips and have it turned on are affected. The CERT Coordination Center (CERT/CC) is currently working to identify other affected vendors and devices.

The first vulnerability, identified as CVE-2018-16986, can be exploited without authentication and without having any prior knowledge of the targeted device, as long as it listens to BLE communication.

First, attackers have to send several benign BLE broadcast messages called advertising packets that contain certain code, which will be triggered later. They then send a specially crafted advertising packet with a certain bit turned on, which triggers an overflow and allows the execution of the previously sent code.

“At this point, the attacker can run malicious code on the targeted device, and install a backdoor on the vulnerable chip, which will await further commands transmitted over BLE,” the Armis researchers said in a blog post. “The attacker can also change the behavior of the BLE chip and attack the main processor of the device, gaining full control over it. In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation. Furthermore, the attacker can use the device in his control to spread laterally to any other device in its vicinity, launching a truly airborne attack.”

This remote code execution vulnerability affects the following TI chips: CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier; CC2650 with BLE-STACK version 2.2.1 or earlier; CC2640R2F with SimpleLink CC2640R2 SDK version (BLE-STACK 3.0.0); and CC1350 with SimpleLink CC13x0 SDK version (BLE-STACK 2.3.3) or earlier.

Access points that include these chips include Cisco Aironet Access Points 1800i, 1810, 1815i, 1815m, 1815w, 4800 and 1540, as well as Meraki APs MR30H, MR33, MR42E, MR53E and MR74. Cisco has released updates for these devices.

The second vulnerability, CVE-2018-7080, stems from an over-the-air update feature in TI CC2642R, CC2640R2, CC2640, CC2650, CC2540 and CC2541 chips that can serve as a backdoor to deliver maliciously modified firmware code.

According to TI, this feature is intended to only be used during development and should be disabled in production systems. However, the Armis researchers found it enabled on some Aruba APs, namely Aruba AP-3xx and IAP-3xx series access points, as well as AP-203R and AP-203RP.

“In the case of Aruba’s access points, a hardcoded password was added (that is identical across all Aruba APs that support BLE) to prevent the OAD feature of being easily abused by attackers,” the researchers said. “However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code, effectively allowing a completely rewrite its operating system, thereby gaining full control over it.”

Aruba is in the process of releasing software updates and advises users to upgrade to ArubaOS versions,,, and when they become available. At this time only ArubaOS has been released.

“BLEEDINGBIT is the latest addition to the growing number of airborne threats, such as BlueBorne, KRACK Attack, the Broadcom vulnerabilities and several others,” the Armis researchers said. “Airborne attacks are beneficial to attackers for several reasons. First, they allow them to operate virtually undetected, as traditional security measures cannot detect them. Second, they are contagious by their nature, allowing the attack to spread to any device in the vicinity of the initial breach.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin