A new Bluetooth vulnerability called Bleedingbit came out yesterday, affecting Bluetooth APs if they use a Texas Instruments chip. With many IoT devices using Bluetooth including TVs, cellphones, locks, and modern cars there are a lot of potential devices that could be exploited.
Before we dive in, if you are a WatchGuard customer, you’re probably wondering if you are affected. Only the WatchGuard AP325 includes a Bluetooth radio, which remains disabled in current firmware. Furthermore, the AP325 does not use a Texas Instruments Bluetooth chipset and is not affected by this vulnerability.
Bleedingbit consists of 2 separate vulnerabilities. The first one affects only Aruba Access Point Series 300 and allows attackers to run their own firmware on the Bluetooth chip if they obtain a hard-coded password, which all Aruba Access Point Series 300 devices use. This password appears to be a leftover from development that wasn’t removed for production. The 2nd vulnerability is far more widespread. This one allows any user within Bluetooth range to run malicious code on affected Bluetooth chips. Once their code executes on the Bluetooth chip they can read any connection over Bluetooth from the AP. The attacker could also use the Bluetooth chip as a jump point to exploit other chip vulnerabilities on the AP to take over the AP. This could allow them access to every network segment that is connected to the AP. The researchers haven’t released the details of the vulnerability, so it will be difficult to know what devices are affected. The current list of affected devices is here. So far only Cisco, Meraki, and Aruba devices are known to be vulnerable, however any device with a Texas Instruments Bluetooth chip may be vulnerable. Fortunately, Bluetooth must be enabled for an attacker to exploit this vulnerability.
If your device is affected and is a Cisco or Meraki AP, then we recommend patching the vulnerability. If it is an AP where it is unknown if it has the vulnerability, then we recommend disabling Bluetooth on the device. Check with the vendor to see if your AP is vulnerable to this vulnerability. If you must have Bluetooth enabled then we recommend segmenting the entire AP, including management of the AP. Any traffic should be treated like external traffic. We recommend not sending any sensitive information over the AP.
If you have a vulnerable Aruba Access Point Series 300 then update with the latest security patch once it is released.
If you are in a high security environment, then we recommend not using Bluetooth at all. Bluetooth has a long list of past vulnerabilities due to its vagueness in the protocol.
Because this vulnerability requires the agent to be within Bluetooth range, physical security of the premise will also mitigate this exploit. However, Bluetooth has a range of 100 feet and can be more with a directional antenna. It would be better to disable Bluetooth altogether.
Keep an update for security patches from your access point vendor if you own an affected model. Once a patch is released for your device be sure to install it to keep your network safe.