A critical Bluetooth security flaw can be exploited by threat actors to take control of Android, Linux, macOS, and iOS devices.
Tracked as CVE-2023-45866, this issue is related to a case of authentication bypass that enables attackers to connect to vulnerable devices and inject keystrokes to obtain code execution by impersonating the victim.
“Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes,” said security researcher Marc Newlin, who disclosed the flaws to the software vendors in August 2023.
Specifically, the attack deceives the target device into thinking that it’s connected to a Bluetooth keyboard by taking advantage of an “unauthenticated pairing mechanism” that’s defined in the Bluetooth specification.
Successful exploitation of the flaw could allow an adversary in close physical proximity to connect to a vulnerable device and transmit keystrokes to install apps and run arbitrary commands.
It’s worth pointing out that the attack doesn’t require any special hardware, and can be performed from a Linux computer using a regular Bluetooth adapter. Additional technical details of the defect are expected to be released in the future.
The vulnerability affects a wide range of devices running Android (going back to version 4.2.2, which was released in November 2012), iOS, Linux, and macOS.
Additionally, the bug affects macOS and iOS when Bluetooth is enabled and a Magic Keyboard is paired with a vulnerable device. It also works in Apple’s Lockdown Mode, which aims to provide protection against sophisticated digital threats.
In an advisory released this month, Google said CVE-2023-45866 “could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed.”