Security News > 2023 > December > Apple and some Linux distros are open to Bluetooth attack
A years-old Bluetooth authentication bypass vulnerability allows miscreants to connect to Apple, Android and Linux devices and inject keystrokes to run arbitrary commands, according to a software engineer at drone technology firm SkySafe.
The bug, tracked as CVE-2023-45866, doesn't require any special hardware to exploit, and the attack can be pulled off from a Linux machine using a regular Bluetooth adapter, says Marc Newlin, who found the flaw and reported it to Apple, Google, Canonical, and Bluetooth SIG. Newlin says he'll provide vulnerability details and proof-of-concept code at an upcoming conference but wants to hold off until everything is patched.
"The vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation. The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker."
Regulars readers may remember Newlin from a similar set of Bluetooth flaws he uncovered in 2016.
Hijack wireless mice, keyboards, with $15 of kit and 15 lines of code Weak session keys let snoops take a byte out of your Bluetooth traffic A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list Atlassian security advisory reveals four fresh critical flaws - in mail with dead links.
While the issue was fixed in Linux in 2020, Newlin says ChromeOS is the only Linux-based operating system that enabled the fix.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/12/06/bluetooth_bug_apple_linux/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-12-08 | CVE-2023-45866 | Improper Authentication vulnerability in multiple products Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. | 6.3 |