Clearly the existence of vulnerability 'BleedingBit' that enables remote access existing in many low-power Bluetooth chips

It was revealed that there was a serious vulnerability in the BLE (Bluetooth Low Energy) chip used for access points and network equipment that exist in countless numbers around the world.

Two New Bluetooth Chip Flaws Expose Millions of Devices to Remote Attacks
https://thehackernews.com/2018/11/bluetooth-chip-hacking.html

The problem named " BleedingBit " is a pair of two types of vulnerability problems that operate in pairs, and it is possible to operate on devices that operate without authentication, such as medical devices such as insulin pumps and pacemakers, POS devices and IoT devices It is possible to execute arbitrary code and to completely hijack the device.

The vulnerability discovered by Israeli security company Armis researchers is present in Texas Instruments (TI) made BLE stack chip implemented by Cisco, Meraki, and Aruba for enterprise products. Armis is a company that discovered vulnerability "BlueBorne" in 2017 that can take over several billions of devices such as smartphones, laptops, televisions, watches and automobile audio systems without being noticed.

A vulnerability "BlueBorne" that can take over a smartphone via Bluetooth without being noticed by the other party? - GIGAZINE

BleedingBit discovered by Armis this time consists of two vulnerabilities.

◆ Remote Code Execution (RCE) Vulnerability: CVE-2018-16986
The vulnerability registered as "CVE - 2018 - 16986" in the common vulnerability identifier (CVE) exists in TI 's chip "CC 2640" and "CC 2650", and the Cisco and Meraki Wi - Fi access points It affects. This bug uses loophole when Bluetooth chip analyzes received data. According to researchers, sending more traffic to the BLE chip than normally processed causes a memory problem called "buffer overflow," which could allow an attacker to attack malicious code on the affected device It will be possible to execute it.

First, an attacker sends a harmless data packet "Advertising Packets" in a BLE broadcast message to multiple target devices and stores them in memory. The attacker then sends an overflow packet. The overflow packet used at this time is changed to a state in which a specific bit is turned "ON" by changing a part of the normal Advertising Packets, which triggers the chip to have more memory The area is secured, and memory overflow occurs.

In order to cause this problem, the attacker needs to be located close to the BLE chip, so it can not be executed remotely. However, once this vulnerability is established on the chip, there is a backdoor on the chip all the time since then, remote access via the Internet is also possible, which is a big problem There is a risk of becoming a trigger.

◆ RCE vulnerability in Over the Air firmware Download (OAD): CVE-2018-7080
The second vulnerability exists on TI's chips "CC2642R2", "CC2640R2", "CC2640", "CC2640", "CC2650", "CC2540" and "CC2541" and affects the Aruba Wi-Fi access point "Series 300" It is caused by a problem related to the firmware update function called Over the Air firmware Download (OAD) which is mounted on the device.

The cause is that all access points made by Aruba have the same OAD password, which can be analyzed by sniffing and reverse engineering of BLE chip. If this is exploited, it is said that an attacker can send illegal firmware to the target device, and it will be able to completely take over the device.

◆ The problem has been resolved. Although a vulnerability that enables large-scale takeover is also found, in fact this problem is said to be completed by each vendor. The problem was discovered in the beginning of 2018, and discoverer Armis provided vulnerability information to each vendor in June 2018. Each company concerned implemented countermeasures and said that an update that solved the problem had already been deployed.