An urgent Bluetooth security flaw has surfaced, posing a significant threat to Android, Linux, macOS, and iOS devices.
Identified as CVE-2023-45866, the flaw centers around an authentication bypass issue, allowing attackers to establish connections with vulnerable devices and inject keystrokes to execute code as the unsuspecting user.
Security researcher Marc Newlin, who uncovered the vulnerabilities in August 2023, explained, “Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes.”
Exploiting the flaw involves tricking the targeted device into perceiving it’s linked to a Bluetooth keyboard, leveraging an “unauthenticated pairing mechanism” outlined in the Bluetooth specification.
Successfully exploiting this vulnerability enables an adversary within close physical proximity to connect to the affected device and transmit keystrokes, enabling the installation of apps and execution of arbitrary commands.
Notably, the attack does not necessitate specialized hardware and can be executed from a Linux computer utilizing a standard Bluetooth adapter. More technical insights into the flaw are anticipated to emerge soon.
The vulnerability impacts a broad spectrum of devices running Android (dating back to version 4.2.2 from November 2012), iOS, Linux, and macOS.
Moreover, macOS and iOS are vulnerable when Bluetooth is active and a Magic Keyboard is paired with the susceptible device. This risk extends even to Apple’s LockDown Mode, designed to safeguard against sophisticated digital threats.
Google, in a recent advisory, warned that CVE-2023-45866 “could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed.”
Update: Apple has swiftly responded to the Bluetooth security flaw, issuing fixes under CVE-2024-0230 with Magic Keyboard Firmware Update 2.0.6. The patch is applicable to various Magic Keyboard models, including those with Touch ID and Numeric Keypad.
Microsoft, tracking the issue as CVE-2024-21306 with a CVSS score of 5.7, has addressed it in its latest January 2024 Patch Tuesday updates, released earlier this week.