December 6, 2023 at 12:18PM
A critical Bluetooth vulnerability, CVE-2023-45866, enabling keystroke injection on macOS, iOS, Android, and Linux, allows attackers to remotely perform actions on devices without user confirmation. Discovered by Marc Newlin, who will release proof-of-concept exploits, it affects multiple platforms with varying levels of exposure. Patches are available for some, but not all, affected devices.
Meeting Takeaways:
1. A critical Bluetooth security vulnerability has been identified across multiple platforms, including macOS, iOS, Android, and Linux, allowing keystroke injection attacks.
2. The vulnerability, tracked as CVE-2023-45866, leverages a flaw in the Bluetooth protocol implemented on these platforms allowing for unauthenticated pairing with a fake Bluetooth keyboard without user confirmation.
3. Marc Newlin of SkySafe disclosed the vulnerability, which has been present for over a decade but went unnoticed due to its simplicity and researchers’ focus on more complex issues.
4. The exploit enables attackers to remotely perform actions on the targeted devices that do not require password or biometric verification, such as installing apps or issuing commands.
5. The flaw affects various versions of Android (as far back as 4.2.2), Linux, macOS, and iOS – and also affects devices in Apple’s Lockdown Mode.
6. Newlin will release proof-of-concept exploit scripts in January to demonstrate the vulnerability.
7. While patches have been released for most affected devices, some, including Apple devices, remain vulnerable. An Android security update released mitigates the issue for versions 11-14, but it’s unclear which OEMs have implemented the patch.
8. Affected devices tested by Newlin include several models of Google Pixel, Nexus 5, BLU DASH 3.5, various Ubuntu Linux versions, and Apple devices such as the MacBook Pro, MacBook Air, and iPhone SE.
9. Newlin has reported the vulnerabilities to Apple, Google, Canonical, and Bluetooth SIG between August and September; some companies have responded with patches while Apple has not yet shared a patch timeline.
10. There is no known active exploitation of the vulnerability in the wild at this time, but devices remain at risk until fully patched.