Skip to content

Critical Bluetooth HID flaw affects Linux, iOS, Mac and Android

  • by
  • 3 min read
Photo: Ymgerman / Shutterstock.com

A critical Bluetooth vulnerability, CVE-2023-45866, affects Android, Linux, macOS and iOS devices. The flaw allows unauthenticated keystroke-injection attacks, potentially compromising the security of countless users.

Cybersecurity researchers from Skysafe published a blog post on GitHub detailing the attack. The vulnerability targets the Bluetooth Host Controller Interface Device (HID) protocol, exploiting unauthenticated pairing mechanisms.

The flaw enables the attackers to trick the Bluetooth host state machine into pairing with a fake keyboard without user confirmation. Devices are left vulnerable under specific conditions, varying across operating systems.

Android devices are susceptible whenever Bluetooth is enabled, while Linux/BlueZ is vulnerable when Bluetooth is discoverable/connectable. On iOS and macOS, the vulnerability arises when Bluetooth is enabled and a Magic Keyboard is paired with the device.

Once paired, attackers operating from a Linux computer with a standard Bluetooth adapter can inject keystrokes into the target device. This allows for unauthorised actions, such as installing apps, executing arbitrary commands, forwarding messages, and more. Notably, the vulnerabilities predate MouseJack, with the Android vulnerability traced back to version 4.2.2, which was released in 2012.

While the Linux vulnerability was addressed in 2020 (CVE-2020-0556), the fix remains disabled by default on many systems, with ChromeOS being an exception. Researchers will release full vulnerability details and proof-of-concept scripts at an upcoming conference.

The impact of these vulnerabilities is far-reaching, highlighting a potential threat to the security of wireless keyboards and mice. Researchers urge caution and emphasise the need for further scrutiny in developing secure wireless peripherals.

Lockdown Mode on iPhones won’t save your device from this flaw.

Here’s a list of devices affected by the CVE-2023-45866, per the researchers. More devices could be affected.

  • Pixel 7 running Android 14
  • Pixel 6 running Android 13
  • Pixel 4a (5G) running Android 13
  • Pixel 2 running Android 11
  • Pixel 2 running Android 10
  • Nexus 5 running Android 6.0.1
  • BLU DASH 3.5 running Android 4.2.2
  • MacBook Pro M2 running on macOS 13.3.3 (2022 model)
  • MacBook Air running on macOS 12.6.7 (2017 model)
  • iPhone SE running on iOS 16.6

The severity of the attack can be understood from the fact that even Lockdown Mode on iPhones, a security measure by Apple, cannot prevent this attack. Apart from that, Ubuntu versions 18.04, 20.04, 22.04 and 23.10 seem to be affected. Users can download the patch for BlueZ on GitHub.

As of now, Google has taken cognizance of the matter and has released a statement. “Fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates,” said Google.

Last month, researchers discovered severe flaws in the Bluetooth standard, known as BLUFFS that can lead to man-in-the-middle attacks (MiTM).

In the News: Atlassian patches four critical RCE flaws in multiple products

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>