Keystroke injection is a method by which malicious commands or remote keystrokes are injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.
A critical Bluetooth vulnerability allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as: CVE-2023-45866 It was revealed by security researcher Mark Newlin.
It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, which could allow them to install malicious applications, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). Software vendors were notified of the flaw in August 2023.
This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. At the time, Bluetooth was assumed to be secure and promoted as a better alternative to weak ad hoc protocols.
In 2023, the challenge forced Newlin to focus on Apple’s Magic Keyboard due to its characteristics Relying on Bluetooth And Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning.
Later, unauthenticated vulnerabilities were discovered in macOS and iOS, which were exploitable even when… Lock mode It is enabled. Similar flaws have been identified in Linux and Android, indicating a broader issue beyond individual implementations. Analysis of the Bluetooth HID specification revealed a range of errors in the design and implementation of the protocol.
Newlin explained in his book Published on GitHub Multiple Bluetooth stacks have vulnerabilities to bypass authentication. The attack exploits the “unauthenticated pairing mechanism” specified within the Bluetooth specification, to trick the target device into accepting a fake keyboard.
This deception allows attackers in close proximity to connect and enter keystrokes, potentially enabling them to install applications and execute arbitrary commands. It is worth noting that unpatched devices are vulnerable under certain circumstances, such as:
- Android: Bluetooth must be activated.
- Linux/BlueZ: Bluetooth must be discoverable/connectable.
- iOS/macOS: Bluetooth must be enabled and Magic Keyboard must be paired with the device.
These vulnerabilities can be exploited using a standard Bluetooth adapter on a Linux computer. It is worth noting that some weaknesses precede “MouseJack“, affecting Android devices since version 4.2.2 (released in 2012).
Commenting to Hackread.com, Ken Dunham, cyber threat manager at Qualys, said: “Two new Bluetooth vulnerabilities found in Android, Linux, MacOS and iOS enable unauthorized attackers to perform ‘unauthenticated pairing’, then potentially enable execution. “. of code and run arbitrary commands.
“Bluetooth attacks are limited to close physical proximity. Alternatively, users of vulnerable systems can limit the attack surface and risk until they are corrected by disabling Bluetooth.”
While a fix for the Linux vulnerability has been around since 2020 (CVE-2020-0556), surprisingly, it was left disabled by default. Despite announcements from major Linux distributions, only ChromeOS is known to have implemented the fix. The latest BlueZ patch for CVE-2023-45866 finally enables this critical fix by default.
It is a serious security vulnerability that affects a wide range of devices, and exposes potential security risks inherent in Bluetooth technology. However, according to Google, fixes for these issues affecting Android 11 to 14 are available to affected OEMs. All currently supported Pixel devices will receive this fix via the December OTA updates.
Related news
- BlueRepli attack bypasses Bluetooth authentication on Android
- BleedingTooth Bluetooth vulnerability allows RCE in Linux devices
- Updating your devices: A new Bluetooth vulnerability allows attackers to monitor traffic
- The BlueBorne Bluetooth flaw affects millions of smartphones, IoT, and computers
- Hackers can disable Google’s Nest Dropcams by exploiting Bluetooth flaws