VU#763183: Amp’ed RF BT-AP 111 Bluetooth access point lacks an authentication mechanism

Overview

The Amp’ed RF BT-AP 111 Bluetooth Access Point exposes an HTTP-based administrative interface without authentication controls. This allows an unauthenticated remote attacker to gain full administrative access to the device.

Description

The Amp’ed RF BT-AP 111 is a Bluetooth-to-Ethernet bridge that can function as an access point or a Bluetooth gateway. According to the vendor’s website, the device supports Universal Plug and Play (UPnP) on the Ethernet side and acts as a UART Serial device to support up to seven simultaneous Bluetooth connections.

The BT-AP 111 provides a web-based administrative interface over HTTP. However, this interface does not implement any authentication mechanism. As a result, any user with network access to the device’s HTTP port can view and modify the administrative interface. An attacker with such access can alter Bluetooth configurations, network parameters, and other security-related settings.

According to NIST guidance, authentication is an expected baseline security control even for near-field or Bluetooth devices. The NIST Guide to Bluetooth Security (SP 800-121 Rev. 2), defines security levels that require at least authentication (Service Level 2) and preferably authentication and authorization (Service Level 1). More broadly, NIST SP 800-124 Rev. 1 emphasizes that devices should enforce authentication before granting access to configuration or administrative resources. The absence of authentication on the BT-AP 111 administrative web interface is therefore inconsistent with established best practices.

Impact

An attacker with network access (local or remote) to the web interface can gain full administrative control of the device and modify any settings exposed through the interface.

Solution

At this time, CERT/CC has not received a response from the vendor regarding this vulnerability. Since the device cannot be secured with authentication or any access controls, it is recommended that any deployments be restricted to isolated networks that are inaccessible to untrusted users.

Acknowledgements

Thanks to the reporter, Souvik Kandar. This document was written by Timur Snoke.