A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices.
Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.
"Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher Marc Newlin, who disclosed the flaws to the software vendors in August 2023.
Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification.
Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and transmit keystrokes to install apps and run arbitrary commands.
It's worth pointing out that the attack does not require any specialized hardware, and can be performed from a Linux computer using a regular Bluetooth adapter. Additional technical details of the flaw are expected to be released in the future.
The vulnerability affects a wide range of devices running Android (going back to version 4.2.2, which was released in November 2012), iOS, Linux, and macOS.
Further, the bug affects macOS and iOS when Bluetooth is enabled and a Magic Keyboard has been paired with the vulnerable device. It also works in Apple's LockDown Mode, which is meant to secure against sophisticated digital threats.
In an advisory released this month, Google said CVE-2023-45866 "could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed."
Update
Apple has rolled out fixes to address the Bluetooth security flaw, which it tracks as CVE-2024-0230, in Magic Keyboard Firmware Update 2.0.6. The patch is available for Magic Keyboard; Magic Keyboard (2021); Magic Keyboard with Numeric Keypad; Magic Keyboard with Touch ID; and Magic Keyboard with Touch ID and Numeric Keypad.
“An attacker with physical access to the accessory may be able to extract its Bluetooth pairing key and monitor Bluetooth traffic,” the company said.
Microsoft, which is tracking the bug as CVE-2024-21306 (CVSS score: 5.7), addressed it as part of its January 2024 Patch Tuesday updates released earlier this week.