In the world of mobile technology, there is some worrying news for users of Android, iOS, Google and Apple devices. An authentication vulnerability in the Bluetooth protocol allows attackers to connect to vulnerable devices and inject virtual keyboards. This issue, known as CVE-2023-45866, allows nearby attackers to connect to discovered hosts via Bluetooth without user confirmation.
This vulnerability was discovered by software engineer Marc Newlin, who warned about the danger it poses. According to Newlin, "A nearby attacker can connect to a vulnerable device via unauthenticated Bluetooth and inject keystrokes to, for example, install applications, execute arbitrary commands, or forward messages, etc."
The attack can be performed using a Linux machine and a regular Bluetooth adapter. An adversary could exploit the vulnerability to perform arbitrary actions, provided those actions do not require a password or biometric authentication.
Initially, Newlin identified this problem in macOS and iOS operating systems, which are vulnerable even in "Lockdown" mode. He later discovered similar vulnerabilities in Android and Linux, finding them to be the result of a combination of implementation issues and protocol errors.
According to Newlin, the vulnerabilities work by tricking the Bluetooth host's state machine into pairing with a fake keyboard without user confirmation. The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and specific implementation errors expose it to the attacker.
According to the engineer, Android devices running versions starting from 4.2.2 are affected, if they have Bluetooth enabled. Google included patches for this vulnerability in the December 2023 Android security updates. Devices running security patch version 2023-12-05, available for Android 11 through 14, are protected against this vulnerability.
Linux devices with Bluetooth set to "discoverable/connectable" are also affected. Although the issue was fixed on this platform in 2020 under the name CVE-2020-0556, "the fix remained disabled by default," Newlin says. Ubuntu, Debian, Fedora, Gentoo, Arch, and Alpine have announced patches for this vulnerability, but only ChromeOS has enabled it so far.
As for macOS and iOS, they are also vulnerable if Bluetooth is enabled and a pairing has been made with a Magic Keyboard. "Lockdown mode does not prevent this attack," Newlin warned.
This vulnerability is a serious threat to users of Android, iOS, Google and Apple devices and highlights the importance of frequently updating operating systems and taking appropriate security measures to protect personal data and devices. It is crucial that users install the latest security updates and be aware of Bluetooth risks when using it in unsecured environments.
