Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover


Various devices remain vulnerable to the bug, which has existed without notice for years and allows an attacker to control devices as if from a Bluetooth keyboard.



Attackers can exploit a critical
Bluetooth security vulnerability
thats been lurking largely unnoticed for years on macOS, iOS, Android, and Linux device platforms. The keystroke injection vulnerability allows an attacker to control the targeted device as if they were attached by a Bluetooth keyboard, performing various functions remotely depending on the endpoint.
Tracked as
CVE-2023-45866
, the flaw exists in how in the Bluetooth protocol is implemented on various platforms. It works by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation, Marc Newlin, principal reverse engineer at SkySafe, revealed in
a blog post published Dec. 6
.
The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker, he explained.
The vulnerability enables an attacker to pair an emulated Bluetooth keyboard with a victims phone or computer, implementing the keyboard as a Python script that runs on a Linux computer. The attacker can then inject keystrokes, typing on the target device as if they were a Bluetooth keyboard legitimately attached to the target.
This effectively allows someone to perform arbitrary actions as the user on exploited devices, Newlin explains. On Android or iOS, this includes any actions the user can perform which do not require a password or biometric authentication, such as installing apps and forwarding emails or text messages, he says. On Linux and macOS, the attacker could launch a command-prompt and run arbitrary commands as well as install apps, Newlin adds.
While the flaw has been present for at least a good 10 years, it has been hiding in plain sight likely because of its simplicity, Newlin tells Dark Reading. He only discovered the issue after first exploring potential keystroke-injection vulnerabilities in Apples Magic Keyboard — a wireless keyboard for iOS and macOS — and moving on to explore the potential for the flaws more broadly in Bluetooth from there.
I think researchers tend to forget about the low-hanging fruit, he says. There has been plenty of research investigating weaknesses in the Bluetooth encryption schemes, but apparently nobody thought to look for simple authentication-bypass bugs.
Indeed, while
Bluetooth
is an incredibly useful protocol that has changed how people interact with various devices, its cross-platform, multi-device nature is proving to be complex in terms of security, causing
myriad issues
that patches cant keep up with.
Android has been vulnerable to the issue that Newlins discovered as far back as version 4.2.2, which was released in 2012. The same flaw was patched in Linux in 2020, but then the fix was left disabled by default, Newlin discovered.
Further, the vulnerability in macOS and iOS
bypasses Apples security protections and works in Lockdown Mode
, which is meant to protect devices from sophisticated cyberattacks, he said. 
A platforms level of exposure depends on the state of the device in question, Newlin said. On Android, for instance, devices are vulnerable whenever Bluetooth is enabled, while exploitation on Linux/BlueZ requires that Bluetooth is discoverable/connectable. iOS and macOS devices are vulnerable when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer.
In January, Newlin will release proof-of-concept exploit scripts demonstrating how an attacker can exploit the flaw from a Linux-based computer using a standard
Bluetooth
adapter. However, a Linux system is not required to exploit the flaw, he tells Dark Reading.
Once the attacker has paired with the target phone or computer, they can inject keystrokes to perform arbitrary actions as the victim, provided those actions dont require a password or biometric authentication, he explained.
Newlin informed Apple, Google, and Canonical of the flaw in August, and informed Bluetooth SIG in September. There are patches for most affected devices, although some remain vulnerable, including Apple gear. At this time, there are no known active exploitation in the wild, Newlin says.
Newlin tested the following Android devices and found that they were all vulnerable: Pixel 7 running Android 14; Pixel 6 running Android 13; Pixel 4a (5G) running Android 13; Pixel 2 running Android 11; Pixel 2 running Android 10; Nexus 5 running Android 6.0.1; and BLU DASH 3.5 running Android 4.2.2.
There currently is no fix available for Android 4.2.2-10; however, an Android security
update
released this week mitigates the vulnerability in Android versions 11-14, although Newlin says hes not sure which OEMs have so far implemented the patch.
Newlin tested Ubuntu Linux versions 18.04, 20.04, 22.04, 23.10; all were vulnerable. There is a
patch
available on Github for BlueZ devices.
The 2022 MacBook Pro with MacOS 13.3.3, the 2017 MacBook Air with macOS 12.6.7, and iPhone SE running iOS 16.6 were all tested and found vulnerable, even in Lockdown Mode.
I reported the macOS and iOS vulnerabilities to Apple in August, and they confirmed my report, but have not shared their patch timeline, Newlin says. Apple is aware that I am publicly disclosing [this], and they have issued CVE-2023-42929.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover