A years-old Bluetooth authentication bypass vulnerability allows miscreants to connect to Apple, Android and Linux devices and inject keystrokes to run arbitrary commands, according to a software engineer at drone technology firm SkySafe.
The bug, tracked as CVE-2023-45866, doesn't require any special hardware to exploit, and the attack can be pulled off from a Linux machine using a regular Bluetooth adapter, says Marc Newlin, who found the flaw and reported it to Apple, Google, Canonical, and Bluetooth SIG. Newlin says he'll provide vulnerability details and proof-of-concept code at an upcoming conference but wants to hold off until everything is patched.
The attack allows a nearby intruder to inject keystrokes and execute malicious actions on victims' devices, as long as they don't require a password or biometric authentication.
Regulars readers may remember Newlin from a similar set of Bluetooth flaws he uncovered in 2016.
These, dubbed MouseJack, exploited keystroke-injection vulnerabilities in wireless mice and keyboards from 17 different vendors.
Newlin says he tested a BLU DASH 3.5 running Android 4.2.2, which was released in 2012, and found it vulnerable to the flaw.
There is no fix for Android 4.2.2-10 issue.
Hijack wireless mice, keyboards, with $15 of kit and 15 lines of code Weak session keys let snoops take a byte out of your Bluetooth traffic A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list Atlassian security advisory reveals four fresh critical flaws - in mail with dead links.
While the issue was fixed in Linux in 2020, Newlin says ChromeOS is the only Linux-based operating system that enabled the fix.
Other Linux distros including Ubuntu, Debian, Fedora, Gentoo, Arch and Alpine left it disabled by default.
This patch mitigates the flaw in BlueZ. The bug also affects macOS and iOS when Bluetooth is enabled and a Magic Keyboard has been paired with the vulnerable phone or computer.
Critically, it works in Apple's LockDown mode, which the vendor claims can protect devices against sophisticated attacks.
He told The Register that Apple did confirm his report, but hasn't shared a patch timeline for the vulnerability.
Apple did not respond to The Register's inquiries.
This Cyber News was published on go.theregister.com. Publication date: Wed, 06 Dec 2023 21:13:05 +0000