Priority: High

Executive Summary: Armis have discovered two vulnerabilities in Bluetooth Low Energy (BLE) chips produced by Texas Instruments (TI). These have been named BLEEDINGBIT. The vulnerabilities affect many Cisco, Meraki and Aruba products which feature the chips.

Two TI chips, CC2640 and CC2650, can be corrupted by malformed BLE packets. This can allow an attacker to achieve remote code execution or cause a denial of service. A second flaw affects four TI chips used by Aruba, CC2540/1, CC2640/50, CC2640R2, and CC2642R. The chips use an over-the-air download feature which was designed to be disabled during production, but this feature has not been disabled as intended. Consequently, the feature acts as leftover backdoor, which would allow an attacker to overwrite the device OS.

The two TI chips used by Cisco, CC2640 and CC2650, use Bluetooth version 4, which has a maximum line-of-sight range of around 100m [4]. This means that the effective range is expected to be 20-40m in most environments. However, this is still wide enough to give a potential attacker access to their target in many circumstances.

Updates are available for the TI chips, meaning that this vulnerability can be prevented against.

Affected Products: The following section outlines the known affected devices, however more may be discovered.

The following TI chips are affected:

The following Cisco products are affected:
Cisco 1540 Aironet Series Outdoor Access Points
Cisco 1800i Aironet Access Points
Cisco 1810 Aironet Access Points
Cisco 1815i Aironet Access Points
Cisco 1815m Aironet Access Points
Cisco 1815w Aironet Access Points
Cisco 4800 Aironet Access Points
Meraki MR30H AP
Meraki MR33 AP
Meraki MR42E AP
Meraki MR53E AP
Meraki MR74

All Aruba series 300 APs are affected.

Prevent: Users of any of the affected products are strongly advised to upgrade their products as soon as possible. Customers can also update the TI chips to patch the vulnerabilities.

Customers may wish to disable BLE where possible on any devices which use BLE, as BLE adds a potential attack vector which may not need to exist.

React: Customers should regularly check for further updates and announcements from Texas Instruments (TI) and affected products vendors for the latest information.