December 6, 2023 at 03:57PM
A Bluetooth vulnerability, CVE-2023-45866, allows unauthorized keystroke injection into Apple, Android, and Linux devices, enabling attackers to execute commands remotely. Marc Newlin discovered and reported the bug, which can be exploited from Linux using standard hardware. Fixes are available for newer Android versions and ChromeOS, but not all systems are patched. Apple and other Linux distros remain vulnerable, and details will be presented at a future conference.
Meeting Takeaways:
1. Vulnerability Identified: Software engineer Marc Newlin from SkySafe has uncovered a Bluetooth authentication bypass vulnerability present for years affecting Apple, Android, and Linux devices.
2. CVE Identifier: The vulnerability is tracked as CVE-2023-45866 and allows attackers to connect to devices to inject keystrokes and execute arbitrary commands.
3. Exploit Details: No special hardware is needed; a standard Bluetooth adapter on a Linux machine is sufficient for carrying out the attack.
4. Vulnerability Disclosure: Newlin has reported the flaw to Apple, Google, Canonical, and Bluetooth SIG and will present further details and proof-of-concept at an upcoming conference.
5. Conditions for Exploit: The attack can be executed on devices without the need for a password or biometric authentication if they’re within the attacker’s proximity.
6. Previous Research: Newlin previously identified similar security issues in 2016 known as MouseJack, impacting wireless mice and keyboards.
7. Affected Devices: A test confirmed that an Android phone running version 4.2.2 released in 2012 is susceptible, with no fix for Android 4.2.2-10.
8. Vendor Responses: Google has provided fixes for Android versions 11-14, with updates for supported Pixel devices available in the December OTA updates. The issue has high severity in the Android security bulletin.
9. Linux Distribution Patch Status: The flaw was fixed in Linux in 2020, but most distributions have the fix disabled by default. ChromeOS has enabled the fix, but Ubuntu (multiple versions), Debian, Fedora, Gentoo, Arch, and Alpine are still vulnerable.
10. macOS and iOS Implications: The flaw also impacts macOS and iOS when a Magic Keyboard is paired to the device and Bluetooth is enabled, including in Apple’s LockDown mode, which is supposed to protect against sophisticated attacks.
11. Apple’s Acknowledgment: Newlin disclosed the issue to Apple in August. Apple confirmed the report but hasn’t provided a patch timeline or responded to inquiries from The Register.
Key Actions Required:
– Alert the relevant teams within the organization about the CVE-2023-45866 vulnerability.
– Check for patch updates on Apple, Android, and Linux-based devices, particularly those models identified as vulnerable.
– Consider advising users within the organization to disable Bluetooth when not in use, especially on devices that may be affected.
– Monitor relevant security bulletins for updates on this vulnerability and disseminate this information as appropriate.
– Engage with IT security to plan for implementing necessary patches and measures to mitigate the risk.
(End of meeting takeaways.)