Wi-Fi access points made by Cisco Systems Inc., Cisco Meraki and Aruba Networks are vulnerable to being hacked via two newly discovered vulnerabilities in Bluetooth Low Energy Chips made by Texas Instruments Inc. and used in the devices.

Discovered by security researchers at Armis Inc., the vulnerabilities, dubbed “BLEEDINGBIT,” affects the routers in different ways depending on the manufacturer.

Cisco and Meraki access points running TI BLE chips have a proximity-based vulnerability that if exploited triggers a memory corruption in the BLE stack, allowing a would-be hacker to compromise the main system of the access point.

The second vulnerability involves a TI BLE chip used in Aruba access points and allows a hacker to exploit TI’s over-the-air firmware download feature. Described as a backdoor designed to allow firmware updates, the same feature can also be exploited by an attacker to install a different version of the device’s firmware, one that can be changed to allow access outside of normal parameters.

While the researchers detected the vulnerabilities in Wi-Fi access points they note that the vulnerabilities described may be found in many other devices as well.

“This exposure potentially goes beyond access points, as these chips are used in many other types of devices and equipment,” said Ben Seri, vice president of research at Armis. “They are used in a variety of industries such as healthcare, industrial, automotive, retail and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.”

Nick Murison, managing consultant at the Synopsys Software Integrity Group, told SiliconANGLE that the vulnerability is not in the protocol but rather in the way the protocol has been implemented on the affected chipsets.

“This underscores the importance for vendors to test that their implementations not only adhere to the protocol specification but also respond in a secure manner when presented with malformed traffic,” Murison said. “It seems like a rather obvious product placement, but protocol fuzzing tools such as Synopsys’ Defensics are designed to do just this.”

Murison explained that there were other steps companies can take earlier in the development lifecycle to prevent implementation bugs from surviving all the way through to production.

Murison added that on a more proactive level, “companies should be looking to ensure developers understand the repercussions of such implementation bugs through a diverse training offering that fits around the developers’ working style. As part of the design phase, companies should also be looking at threat modeling or architecture risk analysis to identify potential security weak spots, and look for opportunities to make the overall solution secure by design.”

Image: Armis