BLEEDINGBIT: Your APs Belong to Us

Conference:  BlackHat EU 2018



Billy chips, which are peripheral chips, can be vulnerable to attack and can lead to network breaches. Access points and network infrastructure devices are also unmanaged devices, making them vulnerable to attacks.
  • Billy chips, which are sometimes considered peripheral chips, can also be vulnerable to attack
  • Access points and network infrastructure devices are also unmanaged devices
  • Billy chips can lead to network breaches
  • Attacks on Billy chips can lead to attacks on an entire network
The presentation showed how a Raspberry Pi controlled by the attacker was used to send custom packets to exploit a vulnerability in a Cisco access point. The attack was successful in uploading a specific beacon data onto the device and telling the chip to start advertising the malicious weekend. The access point was compromised and nearby devices scanning for Billy weekends would show that the beacon was saying 'you're a piece we don't trust'


Enterprise Wi-Fi access points featuring BLE (Bluetooth Low Energy) chips have become increasingly common in recent years. While these chips provide new features, they also introduce risks that create a new network attack surface. In this talk, we will demonstrate BLEEDINGBIT, two zero-day vulnerabilities in Texas Instruments' (TI) BLE chips used in Cisco, Meraki, and Aruba wireless access points, that allow an unauthenticated attacker to penetrate an enterprise network over the air. The first BLEEDINGBIT vulnerability was discovered in the BLE stack embedded on TI chips in Cisco and Meraki Wi-Fi access points. The second vulnerability was discovered in TI's OAD (over-the-air firmware download) feature used by nearly every Aruba Wi-Fi access point currently for sale. Combined, these vendors represent 80% of all wireless access points sold each year to enterprises.Using BLEEDINGBIT, an attacker first achieves RCE on the BLE chip, and then can use the BLE chip to compromise the main OS of the access point and gain full control over it. Once an access point has been compromised, an attacker can read all traffic going through the access point, distribute malware, and even move laterally between network segments.Although first discovered in wireless access points, BLEEDINGBIT vulnerabilities may exist in many types of devices and equipment used across many different industries. For example, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts. Retailers use BLE for mobile credit card readers and indoor navigation applications. A BLEEDINGBIT attack against any of these devices would come out of thin air, bypassing existing security controls, and catching these organizations unprotected.