Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work. The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.
The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.
The chips are also used in pacemakers and insulin pumps. Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.
We recently saw Russian spies poisoned in England. What if you hacked the spy’s pacemaker. Think of the possibilities. Are people going to reverse engineer the code? What if you hacked it and the hack restored the original code after the patient was dead.
The future of the spy business.
Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …
The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.
The second bug exploits a bug in TI’s over the air firmware download protocol. In this case all Aruba access points use the same password, so that is an easy exploit.
In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.
All the vendors have released patches for the chips – TO THEIR OEMs! So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.
And then you need to patch your light bulb. All of them.
So what is there to do?
- Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
- Make sure that you have an effective patching program. These flaws were responsibly disclosed only after patches were available, but you have to install them.
- Configure systems to automatically check for and install patches if possible.
- If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
- Isolate IoT devices from the rest of your network and from each other – called micro segmentation. Limit the damage.
- Stay on top of threat intelligence. News feeds from your industry, from your vendor, from the government. Now that you know this is a problem, you can look for patches for your light bulbs.
It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.
Information for this post came from The Hacker News.