RSA Conference 2019: BleedingBit Flaws Continue to Plague Firms

bleedingbit vulnerability

BleedingBit’s impact continues to spread across various devices, researchers at RSA Conference 2019 said.


SAN FRANCISCO – Mobile key platform UniKey has patched vulnerabilities related to the infamous BleedingBit attack in its platform.

BleedingBit is an issue in Bluetooth Low-Energy chips made by Texas Instruments (and used in millions of wireless access points), which was disclosed in November 2018. According to researchers at Armis, who first discovered BleedingBit, some of the affected BLE radio components were used in some UniKey reference designs and products.

“UniKey’s security architecture inherently distrusts system components outside of our direct control, including the BLE software stack running on third-party components,” according to a UniKey release. “Due to this, the vulnerability cannot be exploited to initiate locking or unlocking of any UniKey powered devices. In addition, all UniKey products support encrypted, over-the-air firmware updates.”

The researchers said in a Wednesday session at RSA Conference 2019 that the latest patch showcases just how widespread BleedingBit is on various devices – and the breadth of attacks that the flaws could enable.

“BleedingBit essentially is a wide-range set of vulnerabilities in chips by [Texas Instruments],” Armis CTO and co-founder Nadir Izrael told Threatpost at RSA. “They are prevalent in many different kinds of products. The primary focus of the original disclosure was wireless access points, which affect most enterprises of the world. But as we dug through it and made responsible disclosures processes with other companies, we found many other devices are affected.”

The most recent type of impact is what Izrael describes as “the concept of the phone as a key.” UniKey is a mobile key platform provider; which brings mobile access control products to businesses, retail, hospitality and residential markets.

“Since these affected BLE radio components were used in some UniKey reference designs and products, UniKey worked closely with TI and Armis to implement immediate corrective action,” UniKey said in its statement. “As security is UniKey’s main priority, the company took immediate action to push out a patch and worked with its partners to distribute the necessary software updates to the potentially impacted products.”

The first vulnerability (CVE-2018-16986) is tied to Texas Instrument chips cc2640/50 used in Cisco and Cisco Meraki access points. This vulnerability is a remote code-execution flaw in the BLE chip and can be exploited by a nearby unauthenticated hacker.

A second vulnerability (CVE-2018-7080) was discovered by Armis in Texas Instrument’s over-the-air firmware download feature used in Aruba Wi-Fi access point Series 300 that also uses the BLE chip.

Texas Instruments released patches (BLE-STACK SDK version 2.2.2) for affected hardware in November that will be available via OEMs.

Adversaries can exploit the bugs by simply being approximately 100 to 300 feet from the vulnerable devices. A compromised access point can then lead to an attacker taking control of the access point, capturing all traffic, and then using the compromised device as a springboard for further internal attacks.

Moving forward, BleedingBit continues to impact various products beyond corporate enterprise networks – for instance, Zebra devices were found to be affected.

“The problem is a lot of things have BLE,” said Izrael. “It’s very prevalent as a technology. BLE is everywhere – all our phones have it, a lot of different devices have it for any number of reasons, access points have it – so the implications are very broad.”

For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here

This article was updated on March 9 at 11a.m. ET to reflect the fact that the BleedingBit vulnerability cannot be exploited to initiate locking or unlocking of any UniKey powered devices.

Suggested articles