Critical Bluetooth flaw exposes Android, Apple & Linux devices to takeover

Elizabeth Montalbano, Dark Reading

December 7, 2023

3 Min Read
Critical Bluetooth flaw exposes Android, Apple & Linux devices to takeover

Attackers can exploit a critical Bluetooth security vulnerability that’s been lurking largely unnoticed for years on macOS, iOS, Android, and Linux device platforms. The keystroke injection vulnerability allows an attacker to control the targeted device as if they were attached by a Bluetooth keyboard, performing various functions remotely depending on the endpoint.

Tracked as CVE-2023-45866, the flaw exists in how in the Bluetooth protocol is implemented on various platforms. It works “by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation,” Marc Newlin, principal reverse engineer at SkySafe, revealed in a blog post published Dec. 6.

“The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker,” he explained.

The vulnerability enables an attacker to pair an emulated Bluetooth keyboard with a victim’s phone or computer, implementing the keyboard as a Python script that runs on a Linux computer. The attacker can then inject keystrokes, typing on the target device as if they were a Bluetooth keyboard legitimately attached to the target.

This effectively allows someone to “perform arbitrary actions as the user” on exploited devices, Newlin explains. “On Android or iOS, this includes any actions the user can perform which do not require a password or biometric authentication,” such as installing apps and forwarding emails or text messages, he says. On Linux and macOS, the attacker could launch a command-prompt and run arbitrary commands as well as install apps, Newlin adds.

Hiding in Plain Sight

While the flaw has been present for at least a good 10 years, it has been hiding in plain sight likely because of its simplicity, Newlin tells Dark Reading. He only discovered the issue after first exploring potential keystroke-injection vulnerabilities in Apple’s Magic Keyboard — a wireless keyboard for iOS and macOS — and moving on to explore the potential for the flaws more broadly in Bluetooth from there.

“I think researchers tend to forget about the low-hanging fruit,” he says. “There has been plenty of research investigating weaknesses in the Bluetooth encryption schemes, but apparently nobody thought to look for simple authentication-bypass bugs.”

Indeed, while Bluetooth is an incredibly useful protocol that has changed how people interact with various devices, its cross-platform, multi-device nature is proving to be complex in terms of security, causing myriad issues that patches can’t keep up with.

Android has been vulnerable to the issue that Newlin’s discovered as far back as version 4.2.2, which was released in 2012. The same flaw was patched in Linux in 2020, but then the fix was left disabled by default, Newlin discovered.

Further, the vulnerability in macOS and iOS bypasses Apple’s security protections and works in Lockdown Mode, which is meant to protect devices from sophisticated cyberattacks, he said.

To read the complete article, visit Dark Reading.

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community