Attackers can exploit a critical Bluetooth security vulnerability that's been lurking largely unnoticed for years on macOS, iOS, Android, and Linux device platforms.
The keystroke injection vulnerability allows an attacker to control the targeted device as if they were attached by a Bluetooth keyboard, performing various functions remotely depending on the endpoint.
Tracked as CVE-2023-45866, the flaw exists in how in the Bluetooth protocol is implemented on various platforms.
The vulnerability enables an attacker to pair an emulated Bluetooth keyboard with a victim's phone or computer, implementing the keyboard as a Python script that runs on a Linux computer.
The attacker can then inject keystrokes, typing on the target device as if they were a Bluetooth keyboard legitimately attached to the target.
On Linux and macOS, the attacker could launch a command-prompt and run arbitrary commands as well as install apps, Newlin adds.
Hiding in Plain Sight While the flaw has been present for at least a good 10 years, it has been hiding in plain sight likely because of its simplicity, Newlin tells Dark Reading.
He only discovered the issue after first exploring potential keystroke-injection vulnerabilities in Apple's Magic Keyboard - a wireless keyboard for iOS and macOS - and moving on to explore the potential for the flaws more broadly in Bluetooth from there.
While Bluetooth is an incredibly useful protocol that has changed how people interact with various devices, its cross-platform, multi-device nature is proving to be complex in terms of security, causing myriad issues that patches can't keep up with.
The same flaw was patched in Linux in 2020, but then the fix was left disabled by default, Newlin discovered.
Further, the vulnerability in macOS and iOS bypasses Apple's security protections and works in Lockdown Mode, which is meant to protect devices from sophisticated cyberattacks, he said.
Bluetooth Exploit Forthcoming A platform's level of exposure depends on the state of the device in question, Newlin said.
On Android devices are vulnerable whenever Bluetooth is enabled, while exploitation on Linux/BlueZ requires that Bluetooth is discoverable/connectable.
iOS and macOS devices are vulnerable when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer.
In January, Newlin will release proof-of-concept exploit scripts demonstrating how an attacker can exploit the flaw from a Linux-based computer using a standard Bluetooth adapter.
Disclosure and Mitigation Newlin informed Apple, Google, and Canonical of the flaw in August, and informed Bluetooth SIG in September.
There are patches for most affected devices, although some remain vulnerable, including Apple gear.
There currently is no fix available for Android 4.2.2-10; however, an Android security update released this week mitigates the vulnerability in Android versions 11-14, although Newlin says he's not sure which OEMs have so far implemented the patch.
Newlin tested Ubuntu Linux versions 18.04, 20.04, 22.04, 23.10; all were vulnerable.
There is a patch available on Github for BlueZ devices.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 06 Dec 2023 17:20:06 +0000