What are the PCI and security implications of Bleeding Bit

6 November 2018 · Network security & Compliance

Security Principle

“Keep It Simple, Stupid!” (KISS) is a fundamental security principle because vulnerabilities seem to increase with complexity.

Simplicity is one of the lessons that we learned this week from the “BleedingBit” vulnerability, which affects Bluetooth clips found in Cisco, Meraki, Aruba, Intel, Apple, and other devices. Most companies buy wireless access points and networking equipment because they need to provide wireless access or manage their networks. They don’t usually need to track employees with fitness wristbands, smart watches, or mobile devices around their office. However, these (often unused) features are enabled by default on some enterprise devices and exposed them to a security flaw that Armis named the “BleedingBit.”

Armis found the full impact of a previously-known Texas Instruments bug and published details about the vulnerability at https://armis.com/bleedingbit.

How it happens

Every chip and feature in a device adds vulnerabilities. Tracking employees with fitness wristbands, smart watches, or company assets around the office might sound like a cool feature that isn’t expensive to add. However, the Texas Instruments (TI) Bluetooth Low Energy (BLE) chip that enables this feature was yet another place where a security vulnerability could exist. As a result, the wireless access points and networking equipment that companies use to protect themselves also have yet another potential security flaw. In the case of Bleeding Bit, this vulnerability is undetectable and can be used to defeat network segmentation and other safeguards.

Impact

Many companies use Meraki and other network equipment to create firewall rules that protect sensitive networks like those that contain credit card machines, customer data, health records, critical infrastructure, or other regulated systems. The BleedingBit vulnerability allows attackers to use the vulnerable BLE chip to bypass these firewall rules to access “protected” networks from publicly-accessible networks like a guest wireless system. Companies that relied on Meraki or Aruba to protect credit card systems for PCI (Payment Card Industry) credit card compliance were no longer in compliance because of Bleeding Bit. As a result, sensitive systems were exposed.

In addition to potential credit card breach fines, BleedingBit also exposed companies to penalties and reporting requirements associated with privacy breaches through statutes like the European GDPR, and Canadian PIPEDA regulations.

Solution

The immediate response includes patching Cisco Aironet devices to 8.8.100.0 and Meraki MR devices to 25.13 or later (information here). Aruba has also released patches for versions 6.4.4.20, 6.5.3.9, 6.5.4.9, 8.2.2.2, and 8.3.0.4 or later (information here). Unfortunately, this means that over-the-air updates will also be more difficult in the future. We also suggest disabling the BLE features on these devices, where possible to mitigate this — and future related — vulnerabilities.

An easy way to keep it simple from the beginning is by using secure and low-feature systems like the Lavawall™ to protect sensitive systems like credit card machines, point of sale systems, customer databases, health networks, and critical infrastructure. Lavawall™ hardware doesn’t have Bluetooth or other features that aren’t necessary to protect sensitive systems. Similarly, LavaWall doesn’t have remote management ports or other vulnerabilities like those exploited through the VPNFilter vulnerability, which infected over 500,000 Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE devices in May 2018 (more information at here and here).

When it comes to security, we need to focus on simplicity and reducing opportunities for attack.