BLEEDINGBIT: Your APs Belong to Us

Presented at Black Hat Europe 2018, Dec. 6, 2018, 1:30 p.m. (50 minutes)

<p>Enterprise Wi-Fi access points featuring BLE (Bluetooth Low Energy) chips have become increasingly common in recent years. While these chips provide new features, they also introduce risks that create a new network attack surface.<span class="Apple-converted-space"> </span></p><p>In this talk, we will demonstrate BLEEDINGBIT, two zero-day vulnerabilities in Texas Instruments' (TI) BLE chips used in Cisco, Meraki, and Aruba wireless access points, that allow an unauthenticated attacker to penetrate an enterprise network over the air.<span class="Apple-converted-space"> </span></p><p>The first BLEEDINGBIT vulnerability was discovered in the BLE stack embedded on TI chips in Cisco and Meraki Wi-Fi access points. The second vulnerability was discovered in TI's OAD (over-the-air firmware download) feature used by nearly every Aruba Wi-Fi access point currently for sale. Combined, these vendors represent 80% of all wireless access points sold each year to enterprises.</p><p>Using BLEEDINGBIT, an attacker first achieves RCE on the BLE chip, and then can use the BLE chip to compromise the main OS of the access point and gain full control over it. Once an access point has been compromised, an attacker can read all traffic going through the access point, distribute malware, and even move laterally between network segments.</p><p>Although first discovered in wireless access points, BLEEDINGBIT vulnerabilities may exist in many types of devices and equipment used across many different industries. For example, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts. Retailers use BLE for mobile credit card readers and indoor navigation applications. A BLEEDINGBIT attack against any of these devices would come out of thin air, bypassing existing security controls, and catching these organizations unprotected.</p>

Presenters:

• Dor Zusman - Security Researcher, Armis
  Dor Zusman is a researcher at Armis, with a rich real-world experience in cybersecurity research. Prior to Armis, Dor was a researcher, network security specialist and a developer in the Israeli Defense Forces intelligence. Dor specializes in reverse engineering, vulnerability research and network pentesting of large corporate networks. He is currently reversing IoT devices in search for novel ways to abuse them as bridgeheads into corporate networks. In his free time Dor likes to self-construct his house, to compensate for walls he takes down in the cyberspace.
• Ben Seri - VP of Research, Armis
  Ben Seri is the VP of Research at Armis, responsible for vulnerability research and reverse engineering. His main interest is exploring the uncharted territories of a variety of wireless protocols to detect unknown anomalies. Prior to Armis, Ben spent almost a decade in the Israeli Defense Forces Intelligence as a researcher and security engineer. In his free time Ben enjoys composing and playing as many instruments as the wireless protocols he's researching.

Links:

• https://www.blackhat.com/eu-18/briefings/schedule/#bleedingbit-your-aps-belong-to-us-13111
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/BLEEDINGBIT Your APs Belong to Us.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/BLEEDINGBIT Your APs Belong to Us.eng.srt (subtitles)
• https://www.youtube.com/watch?v=XMpPxRHB6_c
• https://www.youtube.com/watch?v=ZI-E37e6UHA

Similar Presentations:

• AppSec USA 2016 / When encryption is not enough: Attacking Wearable - Mobile Application communication over BLE
• Still Hacking Anyway (SHA2017) / Hack-a-ble: Hacking BLE Smart Devices
• DEF CON 24 (2016) / Picking Bluetooth Low Energy Locks from a Quarter Mile Away