Connectivity drives innovation in recent years, and with good cause. Interacting with the world around us with no wires attached is obviously more convenient. To make the most of such innovations, enterprise Wi-Fi access points are increasingly embedding BLE (Bluetooth Low Energy) chips. While these chips provide new features, they also introduce risks that create a new network attack surface.
In this talk, we will demonstrate BLEEDINGBIT, two zero-day vulnerabilities in Texas Instruments (TI) BLE chips used in Cisco, Meraki, and Aruba wireless access points, that allow an unauthenticated attacker to penetrate an enterprise network over the air. Using BLEEDINGBIT, an attacker first achieves RCE on the BLE chip, and then leverages his position to compromise the main OS of the access point and gain full control over it. Once an access point has been compromised, an attacker can read all traffic going through the access point, distribute malware, and even move laterally between network segments.
Vulnerabilities such as BLEEDINGBIT have a frightening potential, as the use of BLE is skyrocketing, driven by the rise of IoT devices. Some of the recent examples of this trend are secure 2FA keys such as Google's Titan Security Key, that nowadays also come with a cabless version, and Apple's new "Find My" feature, that turns all Apple devices into a collective hive-mind that tracks the whereabouts of other neighboring Apple devices that sends out a unique BLE beacon. Even implanted medical devices, such as Pacemakers, have started using BLE as their primary channel for telemetry and control. A BLEEDINGBIT-type attack against any of these devices would come out of thin air, bypassing existing security controls, and catching these organizations unprotected.
Ben Seri is the VP of Research at Armis, responsible for vulnerability research and reverse engineering. His main interest is exploring the uncharted territories of a variety of wireless protocols to detect unknown anomalies. Prior to Armis, Ben spent almost a decade in the Israeli Defense Forces Intelligence as a researcher and security engineer. In his free time Ben enjoys composing and playing as many instruments as the wireless protocols he's researching.
Dor Zusman is a researcher at Armis, with rich real-world experience in cybersecurity research. Prior to Armis, Dor was a researcher, network security specialist and a developer in the Israeli Defense Forces intelligence. Dor specializes in reverse engineering, vulnerability research and network pentesting of large corporate networks. He is currently reversing IoT devices in search for novel ways to abuse them as bridgeheads into corporate networks. In his free time, Dor likes to self-construct his house, to compensate for walls he takes down in cyberspace.
Ronald Chestang, Sr Security Advisor, joined HP, Inc. from one of the big four consulting firms where he performed IT Security consulting in Oil and Gas Industry in Houston, Texas. Ron also has over 15 years' experience as a Cyber Officer in the US Air Force where he received the nation's most comprehensive cyber security training and the highest-level AF security certifications.
During his tenure with the AF, Ron participated in numerous cyber exercises and operations including wartime cyber efforts coordinating defense of the nation's top secret information and coordinating offensive efforts. Bringing his cyber warfare background to the private sector, Ron helps organizations understand that the fight against threat actors is a war between cyber security professionals and cyber criminals as well as bring light to the booming business of cyber corporate espionage.