Apple and some Linux distros are open to Bluetooth attack
Issue has been around since at least 2012
A years-old Bluetooth authentication bypass vulnerability allows miscreants to connect to Apple, Android and Linux devices and inject keystrokes to run arbitrary commands, according to a software engineer at drone technology firm SkySafe.
The bug, tracked as CVE-2023-45866, doesn't require any special hardware to exploit, and the attack can be pulled off from a Linux machine using a regular Bluetooth adapter, says Marc Newlin, who found the flaw and reported it to Apple, Google, Canonical, and Bluetooth SIG.
Newlin says he'll provide vulnerability details and proof-of-concept code at an upcoming conference but wants to hold off until everything is patched. The attack allows a nearby intruder to inject keystrokes and execute malicious actions on victims' devices, as long as they don't require a password or biometric authentication.
In a GitHub post published on Wednesday, the bug hunter describes the security flaw thus:
"The vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation. The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker."
Regulars readers may remember Newlin from a similar set of Bluetooth flaws he uncovered in 2016. These, dubbed MouseJack, exploited keystroke-injection vulnerabilities in wireless mice and keyboards from 17 different vendors.
CVE-2023-45866, however, is even older than MouseJack. Newlin says he tested a BLU DASH 3.5 running Android 4.2.2, which was released in 2012, and found it vulnerable to the flaw. In fact, there is no fix for Android 4.2.2-10 issue.
Google issued the following statement to Newlin: "Fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates." Here's the details published in the Android security bulletin, with the flaw rated high severity.
- Hijack wireless mice, keyboards, with $15 of kit and 15 lines of code
- Weak session keys let snoops take a byte out of your Bluetooth traffic
- A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list
- Atlassian security advisory reveals four fresh critical flaws – in mail with dead links
While the issue was fixed in Linux in 2020, Newlin says ChromeOS is the only Linux-based operating system that enabled the fix. Other Linux distros including Ubuntu, Debian, Fedora, Gentoo, Arch and Alpine left it disabled by default. Ubuntu 18.04, 20.04, 22.04, 23.10 remain vulnerable, we're told.
This patch mitigates the flaw in BlueZ.
The bug also affects macOS and iOS when Bluetooth is enabled and a Magic Keyboard has been paired with the vulnerable phone or computer. Critically, it works in Apple's LockDown mode, which the vendor claims can protect devices against sophisticated attacks.
Newlin disclosed the issue to Apple back in August. He told The Register that Apple did confirm his report, but hasn't shared a patch timeline for the vulnerability.
Apple did not respond to The Register's inquiries. ®